In the aftermath of the $120M hack of BadgerDAO on Dec. 1, Nexus Mutual, the insurance protocol, will not pay out to people who bought coverage if it was a frontend attack, according to the project’s Twitter.
“We’re waiting for full details from the BadgerDAO team, but this appears to be a frontend attack,” Nexus Mutual said. “If this is confirmed as a frontend attack, BadgerDAO’s smart contracts were not impacted & this would not be a covered event.”
A frontend attack is carried out at the user interface level rather than at the level of a project’s smart contracts. BadgerDAO is a Bitcoin-focused DeFi protocol.
The insurer’s announcement irked many. “As someone who spent years suing insurance companies when they failed to pay valid claims, color me shocked, absolutely shocked, that insurance ‘on the blockchain’ is the same old story,” tweeted Stephen Palley, a partner at the law firm Anderson Kill.
Nexus Mutual hasn’t officially confirmed that coverage won’t be provided as they are waiting on a postmortem from the BadgerDAO team, BraveNewDeFi, the marketing lead at Nexus Mutual, told The Defiant.
“Loss events like rug pulls, compromised wallets, and frontend attacks have a high moral hazard and cannot be covered.” said the marketing lead. “If they were, it would be easy for users to game the system.”
BraveNewDeFi said that in theory a person working on the protocol could inject malicious code into the frontend, buy Nexus Mutual coverage, and then drain users’ funds while also collecting an insurance payout.
As a result, Nexus Mutual doesn’t cover frontend attacks, said BraveNewDeFi. The project’s document on Protocol Coverage provides horizontal coverage for specific protocols. Nexus Mutual has made major payouts in the past. After the CREAM Finance hack in October, the protocol put out a statement saying affected users were eligible to file claims for more than $10M in payouts. Nexus also paid out $2.4M in February because of a Yearn Finance hack, according to a statement from the insurance protocol.
This latest episode highlights key issues that will shape the development of DeFi insurance. Nexus Mutual’s overview reads: “Claims should be paid when users of the protocol suffer material financial losses due to failures in either the protocol code, economic design, governance set-up or oracles.”
In other words, Nexus Mutual doesn’t categorize frontends as protocol code, presumably because developers outside a project’s core team can also spin them up.
There are devs working on decentralized frontends, which theoretically should be harder to hack — Homescreen is a product which allows users to save versions of apps’ frontends.
“This means each user owns their copy of the app and is in complete control of version updates,” says Homescreen’s docs. “We see this as particularly necessary for the DeFi space for additional security and control over access to decentralized protocols and smart contracts.”
David Vorick, co-founder of decentralized storage solution Sia and the lead developer of Skynet, which produces Homescreen, chipped in on Twitter, saying that the frontend’s security surface rivalled that of protocols’ smart contacts.
“Using a centralized frontend for defi is like going to a nightclub with no fire escape,” he said in a separate tweet. “It’s fine until it’s not, and then it’s really not fine.”