[ANN] Neptune Mutual: Decentralized Cover Protocol on Binance Smart Chain

[Freemind]

Hackers infiltrated into the decentralized financial hub of Polkadot, Acala Network, and issued 1.2 billion aUSD tokens, making it the most recent Defi network to experience an exploit. Following the hack, the dollar-pegged stablecoin lost its peg immediately, losing 99% of its value. The coins were purportedly created without any collateral because the hacker exploited a flaw in the iBTC/aUSD liquidity pool. In response, the Acala team put the network in maintenance mode and froze the erroneously minted tokens, that led to the crashing of the USD-pegged stablecoin to a cent.

   • Lamborghini is set to launch newer set of digital collectibles.
   • Curve Finance front end UI compromised following a DNS attack.
   • AUSD, a stablecoin based on Polkadot, was exploited by hackers who minted over 1.2 billion tokens.

✅ The weekly report is available here: https://blog.neptunemutual.com/weekly-report-aug-15/

[Freemind]

An onslaught of cyberattacks in recent times has cast doubt on the security of smart contracts and the Web3 projects built on them. But where conventional security measures fall short, cover policies can provide a safety net and inspire confidence in the viability of these projects. Find out what kinds of hack and exploit incidents decentralized insurance can protect you against.

On June 18th, 2016, community members of The DAO awakened to the disturbing news that a smart code vulnerability in the protocol had been exploited resulting in the loss of over 3.6 million ETH (around $70 million at the time). Just days before, the blockchain-based cooperative had concluded its fundraising period, closing a whopping $150 million from more than 11,000 enthusiastic members...

✅ The full article is available here: https://blog.neptunemutual.com/what-you-need-to-know-about-smart-contract-hack-protection/

[Freemind]

The Australian Football League's (AFL) first limited edition drop of NFTs sold out in less than 12 hours. The AFL has followed in the footsteps of other international sporting codes that have ventured into the world of Web3 with the release of their Ripper Skipper 2022 NFTs. The AFL Mint program was used to launch Ripper Skipper 2022, letting people who joined the allow-list to purchase one of 3,800 packs reserved for the drop. These NFTs include 78 significant moments and highlights from the 2021 season in both video and audio formats. Each pack contains three different rarity tiers of moments: common, deluxe, and ovation. Limited edition digital content is also available; first-drop participants have a 10% chance of receiving an AFL Mint Genesis Ball.

   • Gordon Ramsay's Hell’s Kitchen lands in The Sandbox Metaverse.
   • Football Club Atlético de Madrid has launched NFTs in collaboration with Stepn.
   • Animoca Brands and Lympo have partnered with Play Magnus Group to bring chess to the web3 platform.

✅ The weekly report is available here: https://blog.neptunemutual.com/weekly-report-aug-22/

[Freemind]

Due to its decentralized nature, blockchain technology presents a number of unique challenges for insurers, such as data privacy issues, underwriting risks, claims validation processes, and lack of a standard regulatory framework, among others.

And while protocol cover providers have found clever ways around these issues, adoption of these solutions is still very limited.  One can’t help but wonder if collaboration between protocols might not help raise awareness and change behaviours towards more widespread adoption of digital asset protection.  As we see so regularly in news headlines about huge losses, there is clearly a strong case for protecting digital assets...

✅ The full article is available here: https://blog.neptunemutual.com/why-onchain-cover-protocols-should-cooperate-not-compete/

[Freemind]

The KaoyaSwap, a BSC-chain decentralized transaction protocol based on AMM and exchange pools, was attacked, resulting in a loss of approximately 37,294 $BUSD and 271.2 $WBNB. The affected function considers the balance difference of the last pair before and after the swap as the amountOut, before transferring $BNB tokens to the user. This logic will not cause any issues if the last pair appears only once in the swap path. When the last pair only appears one or more times, it will miscalculate the amount that should be transferred to the user. As a result, the attacker devised a swap path that includes two self-constructed tokens, tokens A and B, with the swap path likely being [A, WBNB, B, A, WBNB], with the A and WBNB pair being included twice in this swap path. Later, the malicious actor borrows 1800 WBNB in a flash loan and adds liquidity to the [tokenA, WBNB] and [tokenB, WBNB] pairs. Then he gets 1019 WBNB after the swap and 1029 WBNB after the liquidity removal, leaving himself with the profit.

   • Taco Bell and Decentraland are hosting a Metaverse wedding contest.
   • Telegram's co-founder proposes an NFT-style marketplace for usernames.

✅ The full article is available here: https://blog.neptunemutual.com/weekly-report-aug-29/

[Freemind]

Our protocol has already undergone its initial security audit by BlockSec, following which the #DevelopmentTeam  successfully addressed the revisions recommended by the team.  The audit report will be made available on our website in due course.

We have now employed another audit company to handle the second round of audits. The audit team has responded with a number of recommendations and adjustments and our #DevelopmentTeam  is currently reviewing these; once all adjustments have been made we will make an announcement and publish the 2nd audit report on our website.

   • We are looking forward to launching our marketplace on the Fuji testnet in a few weeks, and we look forward to your participation in testing the application again, particularly the new diversified cover pool product: follow us in Discord and Twitter for updates.
   • We are working on incorporating some suggestions made by a security audit firm for our second round of protocol's audit.

✅ The full article is available here: https://blog.neptunemutual.com/monthly-review-august-2022/

[Freemind]

Optifi, a Solana-based ecological derivative, attempted to update and upgrade on the Solana mainnet, but the deployer inadvertently used the solana close program command, causing their program to shut down. This operational error appears to have been irreversible, resulting in the loss of the locked 661,000 USDC, 95% of which was owned by team members. The team later announced that they would compensate all users' funds and manually settle their positions within a two-week timeframe.

An attacker took advantage of Degen Doge Club by using one of the smart contract methods to get all of the $DDC tokens in the pool and then calling another method of the contract that didn't check for incoming addresses, taking away approximately $104,600 worth of stolen assets. The attacker transferred almost all of the DDC tokens in the victim pool into the said function, then called sync to update the k-value. As the balance of DDC in the pool was reduced after the k-value was updated, the price of $USD corresponding to $DDC was significantly raised, and a large amount of USD was swapped via a small amount of $DDC.

   • Formula One trademark filings start paving the way for F1 NFTs.

✅ The full article is available here: https://blog.neptunemutual.com/weekly-report-sep-05/

[Freemind]

DaoSwap was attacked for 580,000 USDT in an attack that allowed users to put the inviter’s address as themselves due to mining rewards that were larger than the fees charged during the swap process and lack of verification. The perpetrator borrowed USDT via several flash-loans. Then he exchanged some USDT for DAO and transferred it to an address believed to be utilized for prize distribution calculation. The attacker then repeatedly swapped USDT and DAO tokens by invoking the contract to issue the reward to himself.

An attacker was able to deploy a custom smart contract at Nereus Finance that utilized a $51 million flash loan to manipulate the AVAX/USDC Trader Joe LP pool price for a single block, allowing the exploiter to mint 998,000 NXUSD against $508k in collateral. The team subsequently notified the community about the problem via its Discord-based channels, which was picked up by numerous onchain analysis groups, who reported the flash loan exploit as resulting in a $371k profit for the attacker. They also neutralized the exploit by liquidating and stopping the abused JLP market. The exploit was purportedly created by a missed step in the price calculation, which lacked a time-weighted average price mechanism to prevent the manipulation of a single block.

   • LG Electronics has launched its own NFT marketplace dubbed LG Art Labs.
   • Sony Music has filed a trademark application for NFT-authenticated music.

✅ The full article is available here: https://blog.neptunemutual.com/weekly-report-sep-12/

[Freemind]

On September 20, 2022, Wintermute's CEO announced on Twitter that the protocol had lost $160 million due to DeFi hacking attacks.

Wintermute is a global cryptocurrency market maker and algorithmic trading firm that offers liquidity across a variety of vetted exchanges, trading platforms, and coins.

The root cause of the attack is due to a vulnerability in Profanity, an Ethereum vanity address tool, which allowed for the disclosure of a private key. The attacker made use of this information to execute a privilege function and designate the swap contract as the attacker-controlled one.

✅ The full article is available here: https://blog.neptunemutual.com/decoding-wintermutes-hot-wallet-compromise/

[Freemind]

In October 2021, social media giant, Facebook announced that it would be rebranding to Meta with a view to “bringing the metaverse to life”. Despite the increased publicity generated about the metaverse since the announcement, the meaning of the term itself hasn’t necessarily gotten any clearer.

So what exactly is the metaverse?

It is a term that describes a hypothetical future version of the Internet where immersive virtual reality and mixed reality worlds combine to facilitate real time interactions and experiences.

Admittedly, this definition might not necessarily make the metaverse easier to understand. But hopefully, it gives enough to give you a general idea of the concept...

✅ The full article is available here: https://blog.neptunemutual.com/unpacking-the-basics-of-the-metaverse/

[Freemind]

On September 23, 2022, the npm (package manager for the JavaScript programming language) packages published by the cryptocurrency exchange dYdX, which directly relate to 44 other cryptocurrency projects, appeared to have been compromised. The packages in question were published by a member of the dYdX team using their personal npm account, which later turned out to contain malicious code that would execute information stealers on a system when installed.

The team announced on Twitter that the releases of these vulnerable packages were quickly removed and that all funds were safe. This attack had no effect on their smart contracts, and their web applications were intact. The team has since then archived one of the associated GitHub repositories relating to this exploit.

✅ The full article is available here: https://blog.neptunemutual.com/decoding-dydxs-supply-chain-vulnerability/

[Freemind]

Neptune Mutual Association.

The marketplace is moderated and operated by an association, called Neptune Mutual Association, located in Zug, Switzerland. 

Neptune Mutual Association is a not-for-profit entity that does not participate in any commercial activity within the marketplace.  Its primary role is to moderate the marketplace, and in particular to oversee the correct operation of the event reporting and incident resolution process.  Note that the association is not a DAO, and is not, at least for the time being, decentralised.  That being said, the association has been set up as the first step towards decentralising the governance of the protocol.  The Chairman of Neptune Mutual Association is Hans Koning,  advisor to Neptune Mutual from day one (but not a co-founder). 

The role of the association is to intervene in exceptional circumstances in order to protect the integrity of the Neptune Mutual ecosystem.  By way of example, the governance committee has the power to pause the protocol (or the cover pool in question) in the event that the incident reporting process suffers a 51% attack.   The governance committee also has the power to perform emergency resolutions to reverse incident reporting decisions in the event of malicious activity.  It is not within the remit of the association to intervene in the normal course of the incident reporting process.

✅ The full article is available here: https://blog.neptunemutual.com/the-neptune-mutual-ecosystem/

[Freemind]

The MEV bot named 0xbad made a windfall when a trader attempted to exchange $1.85 million Compound cUSDC for USDC on Uniswap v2, but was only able to receive back $500 in USDC due to a lack of liquidity. 0xbad made a tidy profit of 800 ETH, or nearly $1 million from the swap, backrunning the trade with an elaborate arbitrage involving many different DeFi dApps. However, an anonymous hacker exploited a vulnerability in the bots' arbitrage contract code, and stole not only the recently acquired 800 ETH, but the entire 1,101 ETH in 0xbad’s wallet, amounting to approximately $1.5 million.

   • Walmart has made its first foray into the Metaverse.
   • Warner Music Group has collaborated with OpenSea to expand Web3 opportunities for artists.
   • OneFootball has launched its second NFT drop in collaboration with Serie A.

✅ The weekly report is available here: https://blog.neptunemutual.com/weekly-report-oct-03/

[Freemind]

Among the many updates and improvements, we’re particularly excited to introduce a completely new type of parametric pool called a Diversified Cover Pool.   This new type of pool will open up the opportunities for parametric protection to a much wider range of blockchain projects.  There are a number of important differences between dedicated cover pools and diversified pools and we have provided an overview of these differences in the blog called Enhance Liquidity via Diversified Cover Pools.

As you might expect, we have made a number of changes to the search function and other UI aspects of the protocol to help search for cover products either directly or by category of cover pool (dedicated/diversified).

   • Neptune Mutual mainnet launch scheduled for later in 2022.
   • We’re all set to deploy the Neptune Mutual testnet2 protocol on the Fuji Avalanche network on the 8th October. Join Discord for details of our testnet2 competition.
   • We created the Exploit Analysis blog category so our readers can better understand how a hack or exploit incident was executed.

✅ The monthly report is available here: https://blog.neptunemutual.com/monthly-review-september-2022/

[Freemind]

Transit Finance is a multi-chain DEX aggregator that chooses and combines popular DEXs from public chains to improve transaction depth and yields.

On October 2nd, 2022, Transit Finance lost $21 million after a vulnerability in their code-base allowed a hacker to drain the wallets of users who had approved the protocol's swap contract.

The vulnerability existed in the project's code, but the attacker specifically targeted users by exploiting a weakness in the transferFrom function. The Transit Swap protocol did not strictly validate the data sent in by the user during token exchange, resulting in an arbitrary external call that the hacker exploited to steal approved tokens from users.

Any tokens approved for trading on Transit Swap could be sent directly from the user's wallet to the address of the exploiter...

✅ The full article is available here: https://blog.neptunemutual.com/decoding-transit-finances-contract-vulnerability/