Nexus Mutual
About
Nexus Mutual is a decentralized insurance alternative built on Ethereum that allows members to pool risk and purchase cover products protecting against smart contract hacks, custody failures, slashing, depeg events, and other crypto-native risks. Since 2019 it has served both individual and institutional clients, offering transparent on-chain claims processing and the ability to create bespoke cover solutions. The protocol is governed by members who collectively own and manage a jointly held Capital Pool.
Where Does Yield Come From?
Nexus Mutual is not a typical yield-earning DeFi app. Think of it as a risk marketplace: people buy insurance cover, and those who back that cover by staking NXM tokens earn rewards from the cover fees.
Where the rewards come from
When someone buys a cover policy, the full fee enters the Capital Pool. Half of that fee (50%) is turned into newly created NXM tokens and distributed as staking rewards. These rewards are paid out gradually over the life of the cover period to staking positions, which are represented as NFT tokens.
Who gets what, and how
Staking pool managers run the pools where NXM holders can put their tokens. Managers can charge a fee (set when the pool is created, up to 100% of whatever the pool earns) before the rest flows to stakers.
NXM holders who stake their tokens choose a lock period from eight options, ranging from 91 to 728 days. The longer you lock, the more you earn. The reward share formula is:
stakeShares × (1 + 10% × 4 × daysUntilStakeLockPeriodEnds / 365)
In plain terms: locking for longer multiplies your reward share.
The risk side — staked NXM can be burned
Staked NXM is not risk-free. If a valid claim is approved, NXM tokens are burned (destroyed) to pay it. The amount burned depends on the cover amount, the NXM-to-ETH exchange rate at the time the cover was bought, and a global capacity factor. The burn is spread proportionally across all stakers in that cover pool.
The Capital Pool also invests
Separately, the Capital Pool holds ETH, USDC, and cbBTC. Members can vote on how this pool gets invested, and any investment earnings flow back into the pool. But this is not the main draw for participants.
The bottom line
The primary way participants earn is through cover-fee-based staking rewards — not from depositor interest or lending spreads. No current APY or TVL figures are quoted here; these are the structural mechanics from the protocol's official documentation.
Persons
Hugh Karp
Founder & CEO, Nexus Mutual
Roxana Danila
CTO, Nexus Mutual
Ricky Tan
COO, Nexus Mutual
Rei Melbardis
Head of R&D; Advisory Board member
Sem
Head of Community
Phil
Director of Marketing
BraveNewDeFi
Head of Product & Risk
Lee McClelland
Advisory Board member
Graeme Thurgood
Advisory Board member
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
iosiro24-03-2025 - 28-03-2025 |
| Both identified issues (one high, one medium) were resolved by Nexus Mutual before final review, resulting in a clean final audit with no open findings. |
iosiro18-12-2024 - 06-01-2025 |
| The audit found no high or medium severity issues; the two informational findings were either resolved or mitigated, indicating a clean codebase for the in-scope pricing changes. Residual risk is low given that the scope was narrowly constrained and all identified items were addressed. |
iosiro31-10-2024 - 07-11-2024 |
| The audit found only low and informational issues, both of which were resolved before the final review, indicating that the USD price feed oracle support was implemented without material security risks. |
iosiro16-09-2024 - 18-09-2024 |
| The audit found only one low-risk issue, which was closed after the client committed to operational safeguards (no ongoing swap orders during upgrades); one code quality improvement was also implemented. No critical, high, or medium risks were identified, indicating the contract changes are sound for their intended use. |
iosiro12-08-2024 - 19-08-2024 |
| The audit identified one medium-risk, one low-risk, and one informational finding, all of which were resolved before the final review, with no open security issues remaining in scope. |
iosiro09-07-2024 - 15-07-2024 |
| The audit found no critical, high, or medium severity issues, and all two low-risk and one informational finding were remediated during the engagement, indicating that the refactor and bug fix were implemented securely. |
iosiro12-03-2024 - 15-03-2024 |
| The audit found no critical, high, or medium severity vulnerabilities, with only a single low-risk issue acknowledged but not remediated, indicating a strong security posture for the SwapOperator asset-to-asset swap feature. |
iosiro23-01-2024 - 24-01-2024 |
| The audit concluded the code was of a high standard with relatively small, straightforward changes; the two medium-severity findings were resolved before finalization, and no critical or high-severity issues were identified, indicating low residual risk for the Safe Tracker contracts. |
iosiro21-10-202301-11-202320-11-2023 |
| The audit found no critical or high-risk vulnerabilities, and all identified medium and low-risk issues were addressed before the final review, indicating that the tokenomics contracts are reasonably secure for deployment. Residual risks such as price manipulation are mitigated by design constraints and monitoring processes. |
Chaos Labs01-11-2023 |
| This mechanism design review validates Nexus Mutual V2's RAMM parameters as suitable for launch with no critical vulnerabilities identified, though ongoing parameter monitoring and adjustment based on real-world market behavior is recommended to mitigate arbitrage and liquidity risks. |
| All seven high-risk and two medium-risk findings were resolved before the audit's conclusion, and the remaining low-risk item (oracle staleness) was accepted with off-chain monitoring. The audit provides reasonable assurance that the Nexus Mutual V2 contracts were secure at the commit reviewed, though the accepted oracle risk warrants continued monitoring. | |
| The audit concluded without residual high, medium, or low severity findings; the two remaining informational items are low-risk best-practice observations relating to single-use functionality. The protocol's Stacked Risk, On-chain MCR, and Swap Operator features were deemed to have satisfactorily addressed all material security concerns before deployment. | |
| The auditors found the Distributor and DistributorFactory contracts to be of a high security standard, with all identified issues — including a low-risk deposit locking discrepancy and several informational items — remediated or suitably addressed before the final review. | |
iosiro03-08-202111-08-202117-08-2021 |
| This audit found no security vulnerabilities in Nexus Mutual's Emergency Response upgrade; the codebase was well-structured, implemented per specification, and only minor design comments were raised, most of which were promptly addressed. |
G0 Group01-06-2020 |
| All seven identified issues—including five critical vulnerabilities—were fixed by the developer before the engagement closed, leaving no open findings at the time of the report. |
| The G0 Group claim payout contract upgrade audit PDF was not available for analysis at any accessible source, so no security assessment can be rendered from this report. Users should seek alternate sources (e.g., directly contacting G0 Group or Nexus Mutual) for the findings. | |
| The G0 Group distributor contract audit for Nexus Mutual was not available at the provided URL, so no assessment of its findings or implications for protocol safety can be made. | |
Solidified22-04-2019 |
| Three critical vulnerabilities were found that could enable fund draining, unauthorized token transfers, and signature replay attacks, all of which require remediation before deployment, while medium findings around upgradability and arithmetic safety also demand attention to ensure protocol integrity. |
Legal
Legal form
Community Interest Company (CIC) — Collective Risk Services CIC, operating as website operator on behalf of Terrapin International Foundation
Registration jurisdiction
United Kingdom (England and Wales); registered under company number 11353187
Status and notes
Website footer: "This website is operated by Collective Risk Services CIC, with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ, on behalf of Terrapin International Foundation". Privacy Policy: Collective Risk Services CIC is the "Third Party Operator" acting on behalf of Nexus Mutual (the data controller). Terms of Use: Collective Risk Services CIC is the owner/operator of the website, with registered office at 27 Old Gloucester Street, London, WC1N 3AX. Privacy policy contact address: 71-75 Shelton Street, London WC2H 9JQ. Nexus Mutual is described as a DAO governed by members via onchain voting. The underlying protocol/smart contracts disclaimers state Nexus Mutual is not party to smart contracts. No legal entity named "Nexus Mutual" itself is incorporated; operations are carried out through the UK CIC and a foundation structure.