Audits and Security
Review Nexus Mutual's audits, bug bounties, and initiatives to strengthen our protocol's security.
Audits
Below are a list of audits conducted on Nexus Mutual's smart contracts in order of newest to oldest. You can also review Nexus Mutual's GitHub where these reports are hosted.
iosiro audit | October 2023
iosiro was commissioned by Nexus Mutual to conduct an audit on the Ratcheting AMM (RAMM) contracts.
Chaos Labs economic audit | October 2023
Chaos Labs was commissioned by the Foundation to conduct an economic audit of the Ratcheting AMM (RAMM) design and mechanism. The initial announcement was made on the Nexus Mutual governance forum.
iosiro audits | November - December 2022, February - March 2023
iosiro was commissioned by Nexus Mutual to conduct an audit on all contracts under the contracts/modules
folder.
iosiro audits | May 2021 & June 2021
iosiro was commissioned by Nexus Mutual to conduct a smart contract audit on:
- The stacked risk, onchain MCR, and swap operator contracts
- The distributor smart contract
- The emergency response smart contract
G0 Group audits | June 2020, November 2020, & March 2021
The G0 Group was commissioned by Nexus Mutual to conduct a smart contract audit on:
Solidified audit | April 2019
Solidified was commissioned by Nexus Mutual to conduct a smart contract audit on the smart contracts and associated components.
Security
Nexus Mutual works to ensure the smart contract system is safe and secure. Regular audits are an important part of maintaining the security of the smart contract system, but there are other approaches the Mutual takes to keep the protocol secure.
Security for RAMM launch
Pending a successful onchain governance vote, the RAMM will launch in late November. At launch, the Engineering team will employ the following security measures to ensure the launch is closely monitored:
- Implementing circuit breakers in RAMM contract. The RAMM contract will be deployed with circuit breakers in the code, which will limit the maximum amount of ETH that can be withdrawn and the maximum amount of NXM that can be minted via capital contributions over a defined period of time. The limits will be progressively raised over time, after careful monitoring of the system.
- Active smart contract monitoring with Tenderly alerts. The Engineering team uses Tenderly alerts to monitor for certain events within the protocol. At launch, the Engineering team will have enhanced monitoring in place for the RAMM contracts and any associated events within the protocol to ensure they can closely monitor the smart contracts.
- Emergency pause functionality for RAMM contract. The Advisory Board has the power to enact an emergency pause on the RAMM contract should any malicious activity take place, which will prevent any minting or redeeming from occurring that would result in a loss of value for members. This power would only be used in an extreme situation and serves as a last resort.
Bug bounty program
Nexus Mutual works with Immunefi to manage a bug bounty program. On Immunefi, hackers secure DeFi contracts, save funds from theft, and get paid for responsibly disclosing vulnerabilities. We are able to secure the Nexus Mutual protocol through this program with Immunefi.
Through this program, whitehat hackers are incentivized to disclose vulnerabilities in the Mutual's smart contract system in exchange for payouts equal to the level of severity.
Smart Contracts and Blockchain
- Critical | Up to $50,000 USD
- High | Up to $25,000 USD
- Medium | Up to $10,000 USD
- Low | Up to $2,000 USD
Note: Bounties listed in USD but paid out in stablecoins.
Check out the bug bounty program on Immunefi for more details.