Nexus mutual is an ethereum based product that offers smart contract insurance. I think it is a noble idea with huge potential. Nexus mutual finally went live on mainnet on 24th May 2019 after being under development for 2+ years.
Let’s start with what I like about them. I really love what they are trying to do and the concept of smart contract insurance via shared risk. Their UI looks neat as well. Hugh Karp, the founder of nexus mutual, has tons of experience in the Insurance industry and it shows in their solid docs and whitepaper. You should definitely read their docs on https://nexusmutual.gitbook.io/docs/ and visit their website https://nexusmutual.io/ to know more about them.
Now, it’s time to talk about ugly things. At plenty of places, you’ll see Nexus mutual claim to be decentralized using statements like “No insurance company. Nexus Mutual is run entirely by its members. Only members can decide which claims are valid.”. However, the reality is that a single entity owns the smart contracts and can upgrade them to a completely different implementation without needing anyone else’s permission. This means that a single entity can do any action like burning anyone’s NXM tokens, minting new NXM tokens for free, Transfering all of pool’s shared balance to self etc. According to their discord channel (which, by the way, you should join using https://discord.gg/Qmsn4T), the owner is Hugh Karp’s ledger. Keep in mind that even if they are not planning on exit scamming, it is a single point of failure and the keys can be stolen. It’s not even a multi-sig. Apparently, this was done due to legal reasons (I don’t believe them on this one) and Hugh will give up these powers after 6 months. I will not be comfortable purchasing NXM tokens as long as a single entity holds such powers.
Another thing that I don’t like about Nexus is that the quote is generated off chain in a centralized fashion. The quote is generated on a classical server that uses an ethereum account to sign quotes and only the signatures are verified on chain. This means that the private keys are kept exposed on the server. This leads to two major concern:
- People with access to that server can generate imbalanced quotes. For example, they can generate a quote to buy a 100000 ETH cover for 1 ETH for a smart contract that is buggy and is going to be hacked for sure. This way, they’ll be able to empty the pool’s funds easily.
- As the private key is exposed on a server, it’s just like a hot wallet and easy/obvious target for hackers. Once the Nexus mutual pool gets enough funds, it will definitely be targeted by hackers and I am not sure how secure Nexus mutual’s infra is. All I know is that even the biggest companies get hacked.
Unfortunately, I haven’t been able to explore their dApp much as I am an Indian and they don’t accept members from India. It’s funny because their CTO is from India, Lead developer is from India, most of the developers are from India and some of their servers are hosted with ctrls.in in India. It’s not their fault though. Regulations suck :p.
None of these concerns is something that can not be solved and I hope Nexus Mutual solves them as soon as possible as it is an awesome product otherwise. I wish them the best of luck!
Before I close this post, I want to disclose some facts. I worked on nexus mutual for a brief time at my previous job and they still use some(only a little :)) of the code I wrote. I am no longer involved with Nexus Mutual in any way. Also, you should do your own research before drawing any conclusions about them. Last but not least, these are my personal opinions and not investment advice of any kind.