Recent events led to us paying our first and second ever claims on Nexus Mutual!
📖Read about it here: https://t.co/CpLX6pXBXJ
— Nexus Mutual 🐢 (@NexusMutual) February 19, 2020
At the time of the attack, Nexus Mutual had 6 members who took out covers on bZx:
- 50,000 DAI
- 30,000 DAI
- 100 DAI
- 4 ETH
- 2,600 DAI
- 5 ETH (purchased following the announcement)
In total, there was around ~$87,000 in coverage on the bZx smart contracts.
Four claims are currently being processed by the mutual where Claim #1 was originally denied for 50,000 DAI with 7/8 claims assessors voting No.
It is important to note that while the first claim was initially denied, claims can always be resubmitted again.
Claim #2 was accepted with 4/4 assessors voting yes while Claim #3 was also accepted with 9/10 assessors voting yes. The most recent claim, Claim #4, is a re-submission of Claim #1 following new information in light of the bZx post-mortem. More on this in the next section.
All accepted claims immediately received their payouts once the voting closed.
The First Claim
The first Nexus Mutual claim processed via assessment was declined as 7/8 assessors voted no, staking a combined 76,000 NXM in the process. The first claim occurred directly following the attack when available information, especially from trusted sources, was few and far between. As such, many of the members voted no with the information at hand which was in line with the guidelines set by the mutual.
For those unfamiliar, Nexus Mutual is a discretionary mutual where members are able to vote on whether or not to pay out claims. One of the core criticisms from the broader community is that Nexus Mutual members have an incentive to always to decline claims as NXM tokens decrease in value when claims are paid out.
However, if the mutual begins to continuously deny legitimate claims, then no users would contribute to the platform or purchase covers – ultimately defeating the core purpose of the mutual and driving the capital pool (and the token) to zero. Therefore, members should always take a long-term view when voting on claims as the more legitimate claims are paid, the more contributions the mutual will receive.
bZx’s Post Mortem
bZx’s post-mortem was released earlier this week, providing significantly more details on the attack. The driving takeaway from the release:
“8:30 am MST: The team identified a safeguard that was bypassed. There was a safety check that did not fire, caused by a logic error in flagging the loan as overcollateralized. Overcollateralized loans don’t involve swaps, which bypasses the final slippage check
It was originally thought by the DeFi community that the bZx’s code functioned properly and there was no unintended use of the smart contract as the attacker simply executed a sophisticated arbitrage opportunity. However, the post-mortem highlighted that the final safeguards within the lending platform were bypassed, making the arbitrage opportunity now fall into the area of a smart contract bug.
One of the Nexus Mutual members (who also had a cover on bZx) was able to cross-reference the smart contract cover wording with the information from post-mortem, making a pretty clear-cut case for the claims to be valid.
The new information released from bZx’s post-mortem allowed Nexus Mutual members who purchased a cover on the lending platform to have valid claims to make. As such, we saw two of the mutual’s claims finalized and approved resulting in their immediate payout.
- Claim #2 received a payout of 4 ETH
- Claim #3 received a payout of 30,000 DAI
Claim #4 is still being processed by the claim assessors. Given how previous claims have been accepted, we strongly expect that this claim will also be paid out for a total of 50,000 DAI to the claimant.
With that, there are still three outstanding covers that have yet to be claimed:
- 5 ETH (purchased after the attack)
- 2,600 DAI
- 100 DAI
Since the 5 ETH cover was purchased after the attack, it goes against the wording in the smart contract covers and is highly unlikely that it will be paid if the claimant attempts to receive a payout.
With Nexus Mutual paying out their first claims, the importance of insurance is being realized by the broader DeFi community. Having a growing insurance fund, now with a track record of paying out claims following an attack, provides the much-needed trust for the DeFi community to continue to take out more covers on their deposits.
With the introduction of Opyn earlier last week, it will be interesting to see how Nexus Mutual fairs with a new insurance provider in the space. In the coming months, we can expect that insurance providers covering technical and financial risk will continue to see the majority of growth.
The importance of insurance in DeFi cannot be understated. Unfortunately, a $350,000 arbitrage exploit is just the beginning. That’s less than 0.03% of the total $1.2B in total value locked.
What would happen if Maker was compromised? Or Compound? What happens if popular protocols that aggregate hundreds of millions in value locked in their respective smart contracts are exploited? These would become massive problems for the DeFi space as a whole. Unless a majority of the ecosystem was insured.