Nexus Mutual, an Ethereum-based discretionary cover startup, has quietly resolved two vulnerabilities on its platform.
One vulnerability could have potentially put part of the funds in Nexus Mutual at risk, the firm's CTO Roxana Danila wrote in a blog post published on Tuesday.
The vulnerability, found by security researcher Samczsun, was similar to a recent bug that ultimately affected the bZx team's project. In the Nexus Mutual case, the vulnerability could have allowed an attacker to exchange ether (ETH) for DAI on the Uniswap exchange.
Nexus Mutual's funds are currently held in DAI and ETH, and it was relying on Oraclize to trigger a rebalance via Uniswap. Simply put, the vulnerability allowed any third party to trigger a treasury rebalance at any time. After receiving Samczsun's report, Nexus Mutual "killswitched the system's interaction with Uniswap."
"In the short term, if claims in DAI are to be paid, we'll raise a governance proposal to transfer the required ETH to the Advisory Board multi-sig, exchange them for DAI, and pay the claim. Long term, we're looking to integrate with a manipulation-resistant DEX, and are currently evaluating options," Danila said.
She acknowledged that the recent bZx attacks should have been a "huge red flag" for Nexus Mutual as well, "but we were overwhelmed by our product being put to its first real test to successfully pay a claim."
Governance system vulnerability
Another vulnerability, found by blockchain developer and researcher Mudit Gupta, was related to the governance system utilized by Nexus Mutual.
In the system, certain actions are automatically executed if a proposal is accepted. The system uses categories to define which action should be executed. However, categories only define the smart contract on which the action should be executed, Gupta told The Block.
"The actual function to be called in that smart contract is part of the proposal. This can lead to situations where an attacker can masquerade their proposal as belonging to a 'safe' category but actually call an 'unsafe' function through the proposal," said Gupta.
Gupta went on to explain that in Nexus Mutual's governance system, some categories allowed the advisory board members to take certain actions unilaterally. For example, there was a category to start an emergency pause. It required only a single "yes" vote to succeed and be executed.
"It looks safe from the face of it since it is supposed to pause the system in emergencies and the system can be unpaused at a later stage. However, due to the fact that the system does not verify what function is being called via the proposal, an attacker would've been able to craft a proposal that upgraded the Nexus Mutual's smart contracts to a malicious version instead of starting an emergency pause," he explained.
Nexus Mutual has temporarily resolved the bug now by modifying all categories. Danila said the "permanent fixes are in the final stages of development and will be put in place in a few days."
Nexus Mutual categorized the vulnerability found by Gupta as a "medium severity issue," while the one found by Samczsun has been categorized as a "high severity issue." In light of their responsible disclosures, Gupta and Samczsun will receive bounties of $2,000 and $5,000, respectively, Danila said. She stressed that none of the vulnerabilities have been exploited and no funds have been compromised.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.