Is insurance “not insured”? Viewing DeFi under Technology Neutrality from the Attack of NXM


 181 total views

The hacker attack this time was unexpected. The target of the attack was Hugh Karp, the founder of Nexus Mutual (NXM) himself.

Nexus Mutual has always been regarded as the head of the DeFi insurance track. Since the DeFi insurance business itself is designed to resist the security risks of traders, this security incident caused many people to shout “Insurance is not insurable”.

With the explosive growth of the number of DeFi projects, the proportion of “hackers”, “geeks”, “developers”, and “scientists” is increasing.

It can be clearly seen that the food chain in the DeFi field may be being recast, but the top computer talents behind the above-mentioned titles are already at the top of this food chain.

Is insurance “not insured”?

In official information and discussions in many communities, the entire process of Nexus Mutual founder Hugh Karp being hacked has been restored.

Nexus Mutual is regarded as the head of the DeFi insurance track, and it is also one of the many well-known DeFi head agreements that will appear in the second half of 2020. Its native token, NXM, reached a high of $21 in July, with a maximum increase of 6 times in half a month. After the attack, NXM fell by 20%.

According to the official introduction, Nexus Mutual allows users to purchase insurance for some smart contracts to insure against accidents caused by smart contract vulnerabilities in some current mainstream agreements (such as Compound, Aave, Uniswap). On this platform, users can insure specific smart contracts for a period of 30 days or more, and each insurance is priced in its native token NXM.

Similar to traditional mutual insurance, Nexus Mutual is owned by the holder of NXM. NXM is the core asset of the system, which represents the rights and interests of community members, including risk assessment through staking and participation in community governance.

This is an old brand founded in 2017. It is a company limited by guarantee established in the UK based on a mutual insurance organization structure. It is worth noting that Hugh Karp, the founder of Nexus Mutual, has more than 15 years of experience in the insurance industry and was once the CFO of UK Life Operations.

However, even though he was experienced, he was still “schemed”.

According to the official disclosure details, after the attacker obtained remote control of Hugh Karp’s personal computer, he modified the Metamask plug-in used on the computer and misled him to sign a transaction-the transaction eventually transferred a huge amount of tokens to the attacker’s In the account.

Subsequently, 370,000 NXM tokens were transferred to an unknown account, worth about 8.33 million US dollars.

“The hacking process is actually quite common. It is Trick (deceiving) Karp to sign a seemingly normal transaction, but the actual transaction is to send the currency to himself”, Wan Hui Dovey, Founding Partner of Primitive Ventures and Member of the Advisory Board of Coindesk Publicly analyze the incident.

“Because Karp definitely does not have a large amount of wNXM, but a large amount of NXM, he must complete the “fishing” work in the internal disk. Then after the fishing is completed, the price of NXM itself will only fall to 100% of the MCR. I must know that it cannot be shipped by bonding curve, so I was very experienced to directly wrap the NXM and go to the outside to smash it.”

(Note: wNXM refers to wrapped NXM, which is the ERC20 version of NXM’s local currency. The relationship between the two is that only the holder of nxm can convert NXM to wNXM by 1-1 mapping.)

The “Bitcoin LA Professor” from the community described the hacker’s current behavior more simply: “The 370,000 coins stolen by the hacker has already smashed more than 200,000 coins. He replaced NXM with WNXM and hit the disk. I changed it, and recharged it to other CEX and DEX, and sold it in various ways.”

This is a scam carefully planned by hackers. Wan Hui summarized the incident: “The hacker who hacked Nexus Mutual not only got the remote control of Huge Karp’s computer, but also did it in order to harvest Karp’s NXM. KYC of Nexus Mutual, (this is) has been carefully prepared for a long time, so it is useless to have KYC.”

After learning from the pain, Wan Hui once again reminded players in the DeFi field:


After the incident was fermented in the community, many investors also sighed like her: “The top of the entire DeFi food chain is really hackers and scientists.”

Even the founder Karp himself commented on this behavior when he tweeted about hackers, “a great trick, definitely an advanced operation.”

Recasting the food chain, reproducing the “double-edged sword” of technology

“A hacker will never detour because of who you are,” the CertiK security verification team commented.

Since the advent of the “agricultural era” of DeFi, the industry structure has quietly changed. And highly skilled computer experts such as “scientists,” “geeks,” and “hackers” once again stepped onto the front of the stage. Technical talents are becoming more influential new “wealth” and new “resources” in the DeFi field.

Perhaps more and more people have noticed this. There is a view that one of the important purposes of YFI founder AC (Andre Cronje)’s previous series of “mergers and acquisitions” is to gather talents.

From the mergers and acquisitions made by AC, it can be seen that he has merged many high-quality projects that have been formed in more precise project mergers and acquisitions, and tried to integrate the world’s top developers. The Keep3r developed by it provides a new platform to aggregate DeFi developers. Integrate the world’s top developers to form a distributed gathering place for developer resources-this is what AC and its team want.

“The reason why YFI is so popular is that AC has attracted too many top talents to develop on his platform. A proposal can be made as an excellent project.” A community developer said The idea is highly praised.

“To a certain extent, this is a big merger of the world’s top developers, through the aggregation of talents to achieve aggregation of projects, aggregation of funds. This model is much more advanced.”

But under this new model, the constant emergence of security incidents once again let the market see the two sides of technology. From “developer talent” to “hacker”, it may only depend on a single thought.

In fact, compared to the “inductive” fraud that Karp suffered, more security issues in the DeFi field still lie in the project vulnerability itself.

According to the “2020 Cryptocurrency Crime and Anti-Money Laundering Report” released by the digital currency analysis company CipherTrace, DeFi hackers accounted for 21% of the total theft in 2020, and in 2019, the number of DeFi hackers is almost negligible. If you do not consider the data related to the KuCoin exchange stolen incident, DeFi hackers will account for more than 50% of the total amount. At the same time, some hackers are also using DeFi, choosing to launder stolen funds through decentralized exchanges.

Regarding the continuous emergence of technical “crimes”, Wan Hui once regarded DeFi hacking incidents as “a typical process of survival of the fittest”. In this process, only the best contract and the most robust contract can be marketed. Used.

“As a neutral financial tool, DeFi is used to defend private property against various drawbacks of centralized finance. Similarly, there are naturally corresponding evil forces to do what they think is “reasonable”.”

In any case, DeFi applications are gradually deeply involved in the entire market. DeFi is also bringing new vitality with an innovative attitude, and it also meets many needs of the market. However, the early development stage of new technologies will face some new challenges.

What is more optimistic is that in the face of technological security, which is a huge risk faced by traditional finance and the entire blockchain industry, DeFi is inevitable, but DeFi is also actively fighting.

Disclaimer: does not endorse any content or product on this page. While we aim at providing you all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice or recommendations. Every investment and trading move involves risk, you should conduct your own research when making a decision.