DeFi startup Nexus Mutual resolves two vulnerabilities, will pay $7,000 in bug bounties

Quick Take

  • DeFi firm Nexus Mutual, which offers an alternative to insurance, has quietly resolved two vulnerabilities
  • One was similar to what bZx experienced recently; another was related to its governance system
  • Nexus Mutual said it will pay $7,000 in bug bounties to researchers who disclosed the bugs.

Nexus Mutual, an Ethereum-based discretionary cover startup, has quietly resolved two vulnerabilities on its platform.

One vulnerability could have potentially put part of the funds in Nexus Mutual at risk, the firm's CTO Roxana Danila wrote in a blog post published on Tuesday. 

The vulnerability, found by security researcher Samczsun, was similar to a recent bug that ultimately affected the bZx team's project. In the Nexus Mutual case, the vulnerability could have allowed an attacker to exchange ether (ETH) for DAI on the Uniswap exchange.

Nexus Mutual's funds are currently held in DAI and ETH, and it was relying on Oraclize to trigger a rebalance via Uniswap. Simply put, the vulnerability allowed any third party to trigger a treasury rebalance at any time. After receiving Samczsun's report, Nexus Mutual "killswitched the system's interaction with Uniswap."

"In the short term, if claims in DAI are to be paid, we'll raise a governance proposal to transfer the required ETH to the Advisory Board multi-sig, exchange them for DAI, and pay the claim. Long term, we're looking to integrate with a manipulation-resistant DEX, and are currently evaluating options," Danila said.

She acknowledged that the recent bZx attacks should have been a "huge red flag" for Nexus Mutual as well, "but we were overwhelmed by our product being put to its first real test to successfully pay a claim."

Governance system vulnerability

Another vulnerability, found by blockchain developer and researcher Mudit Gupta, was related to the governance system utilized by Nexus Mutual.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

In the system, certain actions are automatically executed if a proposal is accepted. The system uses categories to define which action should be executed. However, categories only define the smart contract on which the action should be executed, Gupta told The Block.

"The actual function to be called in that smart contract is part of the proposal. This can lead to situations where an attacker can masquerade their proposal as belonging to a 'safe' category but actually call an 'unsafe' function through the proposal," said Gupta.

Gupta went on to explain that in Nexus Mutual's governance system, some categories allowed the advisory board members to take certain actions unilaterally. For example, there was a category to start an emergency pause. It required only a single "yes" vote to succeed and be executed.

"It looks safe from the face of it since it is supposed to pause the system in emergencies and the system can be unpaused at a later stage. However, due to the fact that the system does not verify what function is being called via the proposal, an attacker would've been able to craft a proposal that upgraded the Nexus Mutual's smart contracts to a malicious version instead of starting an emergency pause," he explained.

Nexus Mutual has temporarily resolved the bug now by modifying all categories. Danila said the "permanent fixes are in the final stages of development and will be put in place in a few days."

Nexus Mutual categorized the vulnerability found by Gupta as a "medium severity issue," while the one found by Samczsun has been categorized as a "high severity issue." In light of their responsible disclosures, Gupta and Samczsun will receive bounties of $2,000 and $5,000, respectively, Danila said. She stressed that none of the vulnerabilities have been exploited and no funds have been compromised.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.