Saving $200m in DeFi Cover
On a late Tuesday evening a few weeks ago… we discovered some alarming bugs on NFT coverage. This is the story of how Armor, Nexus Mutual and Yearn’s founder Andre saved $200m of cover from becoming bricked.
Twitter | Telegram | Discord | Website | Github | Announcements
It all started when we began to develop our new arNFT¹ smart contract…
We first built an interface to allow anyone to mint cover for all Nexus-assured protocols. Even though it was once promised by others in the past, Armor is the first to deliver it.
Armor also needed a new Nexus Mutual coverage minting smart contract.
We would not copy-paste the yInsure contract to mint tokenized coverage. Instead, Armor would improve what we were building on.
Our team found a way to reduce gas costs to mint the arNFTs by 30%² and introduced a couple of new features.
Next came the hard part, and it is where this chapter begins…
Armor’s CTO Robert Forster was working on new smart contracts when he alerted me to two critical severity yNFT bugs³.
- When a user tries to redeem a claim payout, their transaction won’t go through because yNFT enters coverId instead of claimId.
- If the claim did go through, the user would receive WEI instead of ETH. If the user had 100 ETH cover, they would receive 100 WEI which is 0.0000000000000001 ETH.
We asked our friend Taek Lee, who is a smart contract auditor to take a quick look and he confirmed it to be true.
This was pretty alarming.
With over $200 million in active cover underwritten by Nexus Mutual across popular protocols such as Uniswap, AAVE, Maker, Compound, Curve, Synthetix, Yearn, RenVM, Balancer and more…
In the event of hacks on any of these assets, many investors would be in a tough spot.
But there had to be a way to save the $200m+ of Nexus Mutual coverage in active circulation.
Our mission with Armor is to offer people the best in asset protection, so we couldn’t leave them behind. It was important to disclose this to Nexus Mutual and yInsure ASAP so they could be aware of the issue.
We all aim for secure and trustless environments.
Still at the core of asset coverage is knowing it’s secured by a known community who is there when you need it.
I contacted Hugh Karp, founder of Nexus Mutual immediately with a detailed bug report. I hoped his team could confirm our findings in prod and suggest solutions. Soon enough the Nexus Mutual team confirmed the issues. Yearn’s founder Andre was now also aware and we began to explore possible solutions.
After intense research with her team Rox Danila, CTO at Nexus Mutual had found a way to save the day with a system upgrade⁴ via governance.
This upgrade would allow cover holders to update and map their claim payout address to a new fixed smart contract that will handle claims payouts with functions which fix the original bugs.
Having seen Armor building a solution already, Andre had a suggestion…
We could migrate all $200m+ in yNFT tokenized coverage to the new Armor NFT system.
We were keen to take it over and I promised him that Armor would have our new smart contracts audited⁵ before going live.
Taek helped us secure Haechi Labs to audit our new arNFT smart contracts at short notice⁶. They made it happen fast and I would recommend them to anyone who needs audits done for their product.
Visit https://armor.fi now to buy NFT coverage for ALL protocols covered by Nexus Mutual. Please only buy coverage if you need to use it to protect your assets.
This small first release is a key part of our upcoming Smart Asset Protection System (SAPS) for DeFi. This system will automatically track asset balances for multiple wallets across protocols and recommend a combination of pay-as-you-go coverage which you can change any time, without needing to manage expiries.
Users holding yNFT coverage may migrate to arNFT on our upcoming swap interface. Migration details are coming soon. Claims can be submitted for up to 35 days after cover expiry so assets are secure.
Twitter | Telegram | Discord | Website | Github | Announcements
¹ An arNFT is a non-fungible token built by Armor.fi on top of the Nexus Mutual protocol. It enables users to create ERC721 tokens from cover they purchase with Nexus Mutual through Armor. The arNFT contract itself is an ERC721 token with functionality to buy covers, submit claims, and redeem accepted claims from Nexus Mutual. It is based on Yearn’s yNFT and also allows users to swap their yNFT tokens for arNFT tokens. Auditors have tested the interactions between arNFT and yNFT and arNFT and Nexus Mutual.
² This improvement was achieved by not saving any token details on the arNFT and instead we now call details directly from Nexus Mutual via their contracts to give all info needed to dapps which use the arNFT.
³ Upon claim payout redemption, yNFT enters coverId instead of claimId to the NXM contract so they won’t go through. Then if they do somehow go through, they reward WEI instead of ETH. The issue with rewarding WEI instead of ETH is that if you have coverage for 100 ETH, it’ll give you 100 WEI instead which is 0.0000000000000001 ETH. Also if someone has the coverId corresponding to the paid out claimId they could steal money from yNFT.
⁴ In this case, the yNFT contract address can be mapped to the new arNFT contract that will handle claims payouts via a function that fixes the original bug. Both the Nexus Mutual upgrade and the new payout address will be implemented via governance.
⁵ We had found 2 critical severity and 2 low severity bugs on yNFT, plus 1 high severity and 1 medium severity bug on the old SAFE yNFT token distribution contract while creating Armor’s new arNFT smart contracts, so we were hyper-aware of the need for audits.
⁶ The new arNFT audit by Haechi Labs may be reviewed here.
Twitter | Telegram | Discord | Website | Github | Announcements
