Nexus Mutual: A Deep Dive

Decentralized finance (DeFi) has been the center of attraction in the crypto space these days, and Nexus Mutual will play a vital role in insurance. One of the most significant risks in DeFi lies in the failure of the smart contract. It doesn't matter if it is hacked or bugged; smart contract failure is the fastest way to lose your money. You can agree with me that it will be nice to hedge against this risk. The Nexus Protocol has made it possible for us to mitigate the threat of losing your money on DeFi. 

In this article, we will take a closer look at decentralized insurance like Nexus Mutual. 

What is Nexus Mutual?

It is an Ethereum-based decentralized platform that creates insurance products with community-based management and financials. You can also see it as a blockchain-based platform that offers decentralized insurance products. The first product of Nexus is the smart contract cover. This protects users against smart contract vulnerabilities. This only covers smart contracts used on the different decentralized finance (DeFi) platforms. 

Today, the insurance industry is dominated by complex conglomerates that utilize models driven by profit margins, premiums, and reinvestments. The Nexus Mutual blockchain aims to disrupt the traditional insurance business model. It hopes to rewire stakeholder incentives to assess risks proactively and, at the same time, collectivizing financials. 

Learn about Binance DeFi project

Nexus Mutual was launched with only one type of cover: Smart Contract Coverage. It uses a system of democratized risk assessment and pooled claim staking to protect against any financial loss. It means that staking can be executed on multiple contracts at the same time in order to increase potential rewards and minimize losses. Also, any reward earned from purchasing covers will be equally shared among all stakeholders of that particular contract. Anyone can become a member of Nexus and can purchase the Nexus Mutual native token called NXM. The NXM can be used to purchase insurance coverage and also to be part of the Nexus governance process. 

The governance protocol of NXM involves the ability to assess the risks of covering a particular smart contract. The holders of NXM will have to vote on whether to accept claims or not. This usage makes NXM a multifaceted utility token that drives the Nexus ecosystem. You can only buy the NXM token on the Nexus platform, and it is not available on exchanges. Also, the utility token can only be transferred between Nexus Mutual members. The NXM token price fluctuates in response to the amount of capital the mutual holds in comparison to the amount of money needed to fulfill its existing liability across claims. When the mutual have enough funds, the price of NXM increases. On the other hand, it decreases when the mutual requires more funds. 

What is the Purchasing Coverage on Nexus Mutual?

 To purchase a Smart Contract Cover, you must do the following:

The price coverage is determined by the members of Nexus Mutual, known as risk assessors. These people are experts in smart contract auditing. If these risk assessors determine that a smart contract is safe, coverage can be initiated. Now, the risk assessors have to stake NXM towards the coverage pool. The stakes will be used to pay for claims if there happens to be a breach of the smart contract. Therefore, these Risk Assessors are incentivized to only stake on smart contracts that they know to be secure. Once the staking has been made, the tokens are locked up for 90 days. 

The Nexus Mutual insurance can cover all Ethereum smart contract addresses. However, there must be a sufficient amount of NXM token that is staked to cover the claim liability. Examples of smart contracts that have been covered include Compound, Uniswap, Maker, Curve, and Aave. Nexus coverage can last from a single to a number of years. Whereas the staked insurance ranges from 1ETH to 50000 DAI. 

Nexus Governance Process 

The members of Nexus Mutual and an advisory board through its DAO are responsible for the platform's governance. The Advisory board comprises five members that include company founders, industry experts in smart contract security, insurance and mutuals, and legal and regulatory bodies. Also, any member can be voted into the advisory board to replace an already existing member. 

A member can suggest changes to the blockchain protocol by submitting a proposal through its governance platform. Once a member submits a proposal, the advisory board will verify the proposal and suggest an outcome for it. They will also determine the total NXM token rewards shared amongst members who participated in the voting process. The voting itself is also executed through NXM. The weight of a member's vote is proportional to the amount of NXM token the members staked for voting. One thing to note is that rewards are shared among the number of those who vote. The sharing is not proportional to the number of tokens that voted. In the end, this process helps to ensure a more equitable reward-based structure that is not dependent on NXM holdings. 

Also, read about Ethereum Enterprise Alliance

What is the Difference Between Nexus and Traditional Insurance?

In the case of traditional insurance, the insurance agency decides on what to do with its customers' money. The insurance agency decides on how to invest, the risks to cover, when stakeholders are paid, and so on. They always carry out lengthy damage assessments and rarely pay the actual worth of the damaged asset. The reason is that the interest of both the insured and the insurer are more adversarial than cooperative.

On Nexus Mutual, membership tokens and incentives are more aligned to help develop the community. It is far better than the adversarial relationship described above. 


Although blockchain for insurance has been growing as a sector, Nexus Mutual is the first decentralized model being applied in insurance. Its Smart Contract Cover has been essential in the decentralized finance (DeFi) ecosystem. Some future Nexus insurance products include coverage for crypto wallets, etc.

Read Compound Chain: A Comprehensive Guide

Smart Contract Security: The Attacks and Solutions

Smart contract security is fundamental to trustless applications. Smart contracts are a set of predefined codes that self-executes according to the terms therein. 

Although it acts similarly to the traditional agreement, it eliminated the involvement of a third party. The smart contract protocols are capable of initiating their commands automatically. 

You cannot update or modify a smart contract for security patches after its deployment on a blockchain network. Therefore, developers must ensure that they implement robust security strategies before deploying on the blockchain network. Recent attacks and the number of vulnerabilities due to the absence of security patches have challenged smart contracts' sustainability. 

While blockchain technology is gaining traction, there are potential attacks. For instance, there are currently emerging DeFi attacks; exchange hacks, among others. However, all blockchain-related attacks are not smart contract attacks. Some are defraud, malicious, and weak protocol attacks. Nonetheless, herein we are discussing the smart contract attacks and possible smart contract security guides. 

Despite the different security measures in place, a smart contract faces challenges of various attacks. These attacks do not only target smart contracts; they also go after cryptocurrency wallets, transaction authentication, mining pools, etc. 

The Smart Contract Framework

The Ethereum network is one of the significant frameworks that are often used to develop smart contracts. As a smart contract developer, you can build any dApp on the Ethereum platform. However, despite all its advantages, it is not fully secured.

For example, unexpected bugs in the smart contract can trigger it to execute tasks it wasn't designed to perform. This leads to a significant loss on the parties involved in the unresolved agreement that follows. Meanwhile, Ethereum is not the only smart contract platform you can utilize for the development of dApps. 

Other platforms include the likes of Hawk, which you can use for the development of privacy-preserving smart contracts. Hawk is the first smart contract security system. It established a recognized academic provision of the cryptocurrency blockchain model. It consists of a Universal Composability (UC) model, which comprises independent interest. You can leverage the UC model to stimulate security protocols in the blockchain network.

Also read: Writing Your First Smart Contract Using Clarity

Attacks on Smart Contract Security

Over the years, there are many smart contract attacks, costing the victims a huge amount of money. However, the DAO and the Parity Wallet hacks are well-known. A few members of the Ethereum society inaugurated the DAO (known as genesis DAO) in 2016. DAO was an open-source smart contract protocol that allowed anyone to swap DAO tokens with ETHs. 

The process helped to generate about $150m, providing DAO with a large crowdfund. Participants who have DAO tokens were allowed to vote on propositions and were rewarded, provided it resulted in a profit. However, the DAO smart contract had made underlying flaws that allowed attackers to remove the network's funds. A loophole allowed the hacker to request funds from the smart contract before the balance was updated. 

Such vulnerability occurred due to bugs in the code, where the developers did not consider the possibility of a recursive call. 

Therefore it allowed hackers to steal ETHs worth millions of dollars within the first few hours. The DAO attack is an example of how destructive a single vulnerability in the smart contract can be. 

You can read more about DAO Attack here.

Another attack was the Parity Wallet hack on the Parity Multisig Wallet version 1.5+. The vulnerability enabled the hacker to steal about 150,000 ETHs that was worth around $30m. In a bid to execute the attack, the hacker transmitted two separate transactions to acquire ownership of Multisig so that all the currency could be drained from the platform. Immediately the attack was complete; the Parity Multisig Wallet Library contract was initiated. This attack occurred twice; hence it is often referred to as Parity Wallet hack 1 & 2.  

The Attack Classification 

The attacks on smart contract security and blockchain, in general, can be classified into four basic categories. These categories include malicious attacks, weak protocol, defraud, and application bugs.

Malicious Attacks

This type of blockchain attack comprises spreading malware and viruses to people's wallets and accounts. Sometimes, it starts with compromising identities. Examples of such attacks are crypto-jacking, slack, and forum attack. How it happens is that a set of hacks will write programs that could penetrate your wallet to change some properties. Such properties are passwords, usernames, emails, etc. By doing so, it could compromise your account and, as such, may lead to loss of values. 

Weak Protocols

Unlike the traditional database and networks, the blockchain runs by protocols. The protocol vulnerabilities could lead to a sudden takeover of the system by hackers. For instance, there is Proof of Our Work, Proof of Stake, Delegated Proof of Stake, Byzantine Fault Tolerance, etc. depending on the blockchain functionalities. That said, the different protocols are prone to one attack or the other. Some of those attacks are 51% attacks, Sybill attacks, 34% attack, and denial of service. 

The Proof-of-Our Work protocol presumes that 50% of network miners will always be honest. Meanwhile, adversaries making up more than 50% hashing can gain control of the network. Therefore, weak consensus can lead to multiple attacks that relate to the blockchain network. On the other hand, the Sybil attack allows an attacker to establish several malicious nodes over the Bitcoin blockchain network. An Eclipse attack can occur in the same vein to manipulate the peer-to-peer (P2P) network. The essence is often to gain full control over the information that makes up a node. 


This smart contract attack tricks merchants into taking advantage of the unstable actions of digital transactions. Defraud can trick a merchant into releasing his goods before the confirmation of a transaction. In a practical sense, a Bitcoin transaction is confirmed after six transactions. 

Meanwhile, a consumer may try to persuade a merchant to release goods without waiting for up to 6 transactions, so attack techniques like one confirmation or no confirmation can be initiated to double spend. 

Application Bugs

This type of attack occurs when there is an error in the code of the smart contract. It arises when smart contract developers fail to see code errors in the decentralized application. An attacker can drain all the money from the smart contract wallet through simple code bugs. Hence, the need for smart contract audits.  

Smart Contract Attack

Here, we shall explore seven different attacks that affect smart contract security's integrity. If any of these attacks become successful, it causes the smart contract to perform in an unanticipated manner. In such a case, parties involved with the contract agreement might incur a huge loss. They include: 


This is one of the most catastrophic attacks on smart contract security protocols. The attack can completely render the smart contract useless or steal valuable information. This type of attack occurs when a function calls for another contract through an outer call. Such vulnerability enables an attacker to execute a recursive call back of the main function. The action creates an unintended loop that recurs many times. When a vulnerable smart contract has a revoke function, an attacker may call the revoke function multiple times to drain all available balance in the contract. 

Smart Contract Underflow and Overflow

This particular attack on smart contract security is relatively easy to initiate. It attacks transactions that accept unauthorized input data or value. A smart contract overflow happens when more value is provided than the maximum value. 

Smart contracts are often written in solidity, which can handle up to 256-bit numbers. Therefore, an increment by one would amount to an overflow. On the other hand, smart contract underflow is the total opposite of the overflow. 

Short Address Attack

The attack occurs when the Ethereum Virtual Machine (EVM) is weak. EVM can allow imprecise padded arguments, allowing hackers to send specially crafted addresses that lead to exploitation. This attack has the same strategy as the SQL injection bug. 


Most times, smart developers use the CALL and DELETECALL to modularize written code. Although the DELEGATE opcode comprises a similar function to the message CALL, the msg.sender and msg.value doesn't get altered. Such a feature allows developers to generate reusable code, improving the chance of abrupt code-execution using DELETECALL. This DELETECALL shows that it is possible to introduce flaws, leading to new smart contract security vulnerabilities. 

Transaction Ordering Dependence (TOD)

This vulnerability allows corrupt miners to have a damaging effect on smart contracts. The vulnerability relies on the order of transaction execution. For instance, every newly generated block contains two transactions that enforce the smart contract. This feature doesn't provide enough information to users to determine the agreement's state or about the initiation of an individual's invocation. In the Ethereum blockchain, miners control the order of transactions, and they prioritize transactions with higher gas. 

Therefore, any miner that closes a block can influence the order of the transaction. 

Timestamp Dependence

It is a smart vulnerability that attackers can exploit to compromise the integrity of smart contract projects. A corrupt miner can alter the timestamp by a few seconds since the platform gives miners about 30 seconds of block validation. Therefore, the outcome of the random number generated can be manipulated to gain benefits.

Smart Contract Security Techniques

There are about ten major security analyses that are in place to identify vulnerabilities in smart contracts. The deployment of most of these tools is for static and dynamic analysis of smart contract codes. These security techniques include Slither, MythX, Mythril, Manticore, Security, Smartcheck, Echidna, Oyente, Vandal, and Zeus. Each of these security techniques has a certain ability to identify vulnerabilities on smart contracts, and they have their limitations too. Whichever security technique you employ, ensure that you understand the limitations that it has. 


The importance of smart contract security cannot be overemphasized, especially now that smart contracts are gaining more traction. As technology expands, it catches the attention of more attackers. Therefore, it must be well protected from any form of attack. However, one can still not guarantee the proper solution to secure smart contracts; hence smart contract security is a big challenge. Consequently, there is a need for smart contract security audit. 

Xord is here for your Blockchain projects and free Blockchain consultation. Connect with our Blockchain experts at

Writing Your First Smart Contract Using Clarity [Part 1]


Blockstack is a platform with a vision of building a decentralized internet. Users are in control of their identity and data. It is a revolutionary shift in how people could use the software, create it and can get benefit from the internet. It puts people back in control. 

As we know in today’s world, the need for a smart contract over Blockchain has become a necessity, so Blockstack came up with their own language and architecture to implement smart contract over Stacks Blockchain. 

They have introduced Clarity, through which we can write smart contracts to control digital assets over Stacks Blockchain. Digital assets include BNS names, Stacks Token and so forth.

What Is Clarity:

Clarity is different from other smart contract languages mainly in two ways:

The reason that Clarity is not intended to be compiled is to avoid compilation level bugs. Turing incompleteness makes it prone to smart contracts issues such as reentrancy attacks, halting, and transaction fees prediction.

Because of these differences, it allows the static analysis of programs which can be helpful to determine runtime cost and data usage over the Blockchain.

The architecture of Clarity smart contract consists of two parts; a data-space and set of functions. A smart contract may only modify data-space to which it is associated. All the functions are private unless they are defined public. 

Users can call a smart contract’s public function by broadcasting transactions on the Blockchain.

Just like Solidity and other smart contract languages, a contract can call public and read-only functions of another smart contract as well.

Basic Architecture Of Clarity:

Basic building blocks of Clarity are atoms and list. An atom is basically a number of strings or characters. For example:

Native functions, user-defined functions, values, and variables that are in the program can be an atom. In Clarity, if a function mutates data it is terminated with an ! exclamation point. For example: change-name!

The sequence of atoms enclosed with ( ) parenthesis is a List. A list can also contain other lists. For example:

[code language="javascript"]
(get-block info time 18)
(and ‘false ‘true)
(is-none? (get id (fetch-entry names-map (tuple (name \”clarity\”)))))

Clarity supports comments using ;; (double semicolons). Inline and standalone comments are supported.

[code language="javascript"]
;; Transfers tokens to a specified principal (principal is equivalent to Stacks address)

(define-public (transfer (recipient principal) (amount int) )

(transfer! Tx-sender recipient amount)) ;; returns: boolean

Language Limitations And Rules:

The Clarity smart contract has the following limitations:

Let's Write Or First Smart Contract Now!

As clarity will go live in the next Stacks Blockchain fork, you can run Clarity on a local virtual test environment. The environment can be run in a Docker container. Before you begin this tutorial, make sure you have Docker installed on your workstation.

Now, for our first smart contract, we will be writing a simple contract which takes an integer as an input and returns that same integer as an output. 

Task 1: Setting up the test environment:

  1. Pull the Blockstack core ‘clarity-developer-preview’ image from Docker Hub.

$ docker pull blockstack/blockstack-core:clarity-developer-preview

 2. Start the Blockstack Core test environment with a bash shell.

$ docker run -it -v $HOME/blockstack-dev-data:/data blockstack/blockstack-core:clarity-developer-preview bash

The command launches a container with the Clarity test environment and opens a bash shell into the container. The -v flag creates a local $HOME/blockstack-dev-data directory in your workstation and mounts it at the /data directory inside the container. The shell opens into the src/blockstack-core directory. This directory contains the source for a core and includes Clarity contract samples you can run.

 3. Make sure you have ‘nano’ and ‘sqlite3’ packages installed inside the container by running commands nano and sqlite3. If packages are not present you can easily install them using these commands.

$ apt-get update

$ apt-get install nano

$ apt-get install sqlite3 libsqlite3-dev

Task 2: Writing the contract:

As you navigate to the path /src/blockstack-core and use ls to view the directories, you will see ‘sample_programs’ directory. This directory contains two sample contracts. We will write our contract in this directory. Let’s write!

  1. Make a .clar file using touch int_return.clar
  2. Copy and paste this contract code into that file using nano int_return.clar

[code language="javascript"]
(define-public (num-return (input int))

(begin (print (+ 2 input))

(ok input)))

This contract has a public function which can be invoked outside of the contract and takes an integer parameter and then returns the parameter. 

Task 3: Deploying and executing smart contract:

In this task, we will be interacting with our contract using ‘clarity-cli’ command line.

1. Initialize a new ‘db’ database in /data/ directory using this command

$ clarity-cli initialize /data/db

You will see the response ‘Database created’. The command creates an SQLite database. 

2. Type check the int_return contract, to see if there are no errors.

$ clarity-cli check int_return.clar /data/db

As a result of the above command, you will see message ‘Checks passed’

3. Generate a new address for your contract, this address will be used to name your contract at launch time. Now you can use this command:

$ clarity-cli generate_address


4. Add your address in the environment variable.


5. Launch the int_return contract and assign it to your DEMO_ADDRESS address. You use the launch command to instantiate a contract on the Stacks Blockchain.

$ clarity-cli launch $DEMO_ADDRESS.int_return int_return.clar /data/db

So, you will see ‘Contract initialized!’ message. In short, the contract is now deployed on the Blockchain

6. Now it’s time to run our smart contract’s public function num-return by using this command:

$ clarity-cli execute /data/db $DEMO_ADDRESS.int_return num-return $DEMO_ADDRESS 8

Therefore, you will see this response;

‘Transaction executed and committed. Returned: 8’


To sum up, you have deployed your first smart contract on the Stacks Blockchain using Clarity and clarity-cli on your local test environment. So, kudos to you! You can now view the transactions and block data from the database using ‘sqlite3’ cli. 

Xord can help you build Blockchain projects and give you free Blockchain consultation, connect with us and get started now!
Link: https://