Open in app

Sign in

Write

Sign in

Announcing the first Nexus Mutual Bug Bounty

Roxana Danila
Nexus Mutual

--

Find the bugs, get rewarded. Earn up to $5,000 for every bug you report.

Nexus Mutual is a discretionary mutual offering an alternative to insurance for Ethereum users. People who join the mutual become members, and members can buy cover to protect themselves against hacks in smart contract code. Each member can hold tokens which represent membership rights.

We’ve launched a new staking system, referred to as Pooled Staking, that encourages members to stake on contracts they think are secure, and rewards those members accordingly. It has increased rewards, better distribution of rewards among members, removal of the old queue system and decrease of the lock-up period.

Nexus Mutual has been through several phases of research, testing, and, recently, a successful external audit.

Please refer to this documentation for the technical specification of the intended behavior.

Audit Report

The contracts have been carefully audited by smart contract security experts Nick Munoz-McDonald and Adam Kolář of G0 Group. The audit report can be found here.

Bug Bounty Program

We encourage responsible disclosure of security vulnerabilities and are happy to announce the bug bounty program for the Nexus Mutual Pooled Staking. You can earn up to $5,000 for every bug you report.

The Rules

  • You can start or fork a private chain for bug hunting. Don’t try any exploits against our contracts on mainnet.
  • Issues that have already been submitted by another user or are already known to the Nexus Mutual team are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty.
  • The Nexus Mutual core development team, employees, and all other people paid by Nexus Mutual’s Foundation either directly or indirectly (including the external auditors), are not eligible for rewards.
  • The Nexus Mutual bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Nexus Mutual bug bounty panel.

The Scope

The scope of our bug bounty program includes Pooled Staking related code at commit https://github.com/NexusMutual/smart-contracts/commits/2e748e8435d50ca0f5057cef05faf5670b32aa8d, as follows:

  • PooledStaking.sol.
  • Any function calls to PooledStaking.sol from other Nexus Mutual contracts.

Examples of what’s in scope for the bug bounty include, being able to:

  • Steal funds from the contract.
  • Lock funds or render them inaccessible to their owners.
  • Perform other users’ actions on their behalf that would increase their risk or put their funds in danger.
  • Prevent rewards from being correctly distributed to the stakers.
  • Bypass the stake burning mechanism.
  • Denial of service attacks.

Out of scope:

  • Any files, modules, or libraries other than the ones linked to above.
  • Methods related to migration from the old staking system.
  • More efficient gas solutions.
  • Any points listed as already known weaknesses in the Nexus Mutual Pooled Staking documentation.
  • Any points listed in the audit report.
  • Any issues relating to networks other than the Ethereum mainnet.
  • Any other assets related to Nexus Mutual’s infrastructure such as servers, websites, domains, or any other off-chain services.

Compensation

Any bugs will be considered for a bounty, including the ones that don’t require a redeploy to be addressed. The reward will be determined by the severity of the threat, as explained below.

High severity threat: up to $5,000
Medium severity threat: up to $2,000
Low severity threat: up to $1000

All bounties will be paid in USDC.

Please note that the submission’s quality will factor into the level of compensation. A high-quality submission includes an explanation of how the bug can be reproduced, a proof of concept (e.g. in form of a failing test case), a valid scenario in which the bug can be exploited, and a fix that makes the test case pass.

Submission Process

Please email your submissions to: security@nexusmutual.io.

Don’t forget to include your ETH address, so that you may be rewarded. If more than one address is specified, only one will be used at the discretion of the bounty program administrators. Anonymous submissions are welcome, too.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.

We ask that:

  • You give us reasonable time to investigate and mitigate an issue you report.
  • You coordinate with us before making public any information about the report or sharing such information with others.
  • You do not exploit a security issue you discover for any reason.
  • You do not violate any other applicable laws or regulations.

Any questions? Reach us via Discord, on our #bug-bounty channel.

Happy hunting!

🔔 To get future updates, make sure to follow Nexus Mutual on Twitter.

--

--

Roxana Danila
Nexus Mutual

Written by Roxana Danila

72 Followers
Editor for

CTO @ Nexus Mutual