After much deliberation and careful thought Neptune Mutual decided to close the cover marketplaces.
After much deliberation and careful thought Neptune Mutual decided to close the cover marketplaces. Below the reasons for the decision as well as what it means for the community.
The marketplaces will be closed using an emergency withdrawal process whereby the liquidity provided to cover pools by LPs will be returned to the wallet addresses from which the liquidity was supplied. In addition to protecting cover pool LPs, there will also be refunds to all cover policy purchasers with an existing and valid policy who have paid over 10 USD in policy fees in one transaction.
For veNPM holders, please fill out this form to receive a refund for your veNPM to NPM conversion penalty.
From the end of June there will no longer be NPM emission incentives for LPs i.e. Epoch 3 of the liquidity gauge emissions will be canceled.
Unused funds raised from financial backers will be returned to those backers; this includes DEX liquidity that has now been removed from SushiSwap and Uniswap. A small amount of liquidity on SushiSwap Arbitrum has been left to enable a minimum amount of NPM trading.
The protocol will be open sourced, and become a true public good. Enabling the community to fork the code developed by the Neptune Mutual team such that others might use the existing resources to further our mission to make the blockchain space better protected against smart contracts and other risks.
There are numerous factors that have led to this difficult decision, some of which are external factors which are uncontrollable or unforeseeable. A few factors summarized below:
“Given Neptune Mutual’s Tier 1 backers, why have you not listed on a top CEX?”
This is perhaps one of the most frequently asked questions. In short, the answer is that for a variety of reasons Neptune Mutual was not able to achieve the diverse set of performance metrics (community size and engagement, marketplace user activity, DEX 24 hour trading volume, TVL growth etc.) required to list on top tier CEX. The CEXs that are prepared to list NPM token do not have the depth of liquidity or breadth of user-base to offer good prospects for NPM tokenholders.
“Why has Neptune Mutual not achieved strong growth?”
It is tempting to take a shortcut to answer this question by pointing a finger at one specific factor, but the reality is that there are many contributing factors. A few summarized below:
Since the outset of engaging with the community we have endeavored to highlight the need for DeFiInsurance; Neptune Mutual built a comprehensive dataset of on-chain hacks available, anywhere, and each week we highlight the many millions of dollars that are stolen as a result of smart contract hacks. Despite this, we have consistently been confronted by projects unwilling to spin up cover pools in our marketplace because of the sentiment that audits of their code are sufficient to persuade their community that their protocol is safe. Less than 0.3% of all digital assets are protected with some form of DeFiInsurance, and yet despite all the media reports of hacks, the conference discussions about the importance of governance or CEX proof-of-reserves, it continues to be the case that it is extremely difficult to get media attention to focus on the need for a fast and efficient means of mitigating smart contract risk.
A variety of approaches have been taken by different DeFiInsurance protocols to address this, from attending multiple conferences throughout the year and significant marketing spend, to the leaner approach that Neptune Mutual took (in part as a result of the bear market in 2023). What can be said is that no DeFiInsurance protocol has managed to achieve significant growth over the last 18 months, sadly the overall TVL of the sector has shrunk a lot.
For all the reasons above, at this moment the best course of action is no longer to double-down on investing in growth, but rather to refund unused capital and close the marketplaces.
The consequences are very tough for the Neptune Mutual team who have spent the past 3 years of their time on the mission to facilitate safer environments within DeFi. The team has delivered products according to the roadmap and the fact that the protocol was never hacked, despite attempts being made on the darkweb, is testament to the expertise, passion and absolute focus on security. The team survived the FTX and UST crisis unscathed, and believed that the continued growth in hacks would lead to growth in the demand for a good solution to mitigate these risks, but sadly, as can be seen right across the DeFiInsurance category, this is not yet in sight. So we would like to thank the team for all the dedication, skill and passion invested into the Neptune Mutual project since the outset.
The team will open source the protocol, including blockchain indexing protocol (subgraph alternative), frontend, middleware, database, and backend code, to make it a true public good. This will allow anyone to fork the code and create covers by defining parameters and premium ranges, potentially leading to innovative covers and organic usage.
The Discord channel will be closed to reduce the risk of phishing and other types of cyber attack, any questions / queries will be responded to in the Telegram channel.
We want to take this final opportunity to thank you all for your support.
Neptune Mutual will contact only its financial backers, with whom a signed agreement exists, in relation to next steps (i.e. holding NPM tokens does not qualify you for any form of refund). Contact will be made only from a neptunemutual.com domain email address so please check the source of any email you may receive very carefully. Please ignore any messages from any other email or social media accounts in relation to token/cash refunds.
Learn more about the various malicious activites, and how to stay safe from them.
Blockchain technology has been one of the biggest disruptive technologies of our time. It utilizes a decentralized model, meaning that control and data storage is done through a distributed ledger network instead of a centralized entity.
Under this model, information is validated through a distributed consensus that compares blocks of data stored in parallel on multiple nodes across the network. This makes it incredibly difficult to tamper with the information stored on the blockchain because any changes must be validated by all the distributed nodes on the network to achieve a consensus. In other words, if you have access to a single block in a blockchain, you cannot edit it without affecting the entire chain, and because of the consensus mechanism that compares blocks stored on different nodes then changing one block won't achieve anything.
However, even though blockchains are inherently secure by virtue of decentralization, the projects that interact with blockchains are still subject to a certain number of cybersecurity risks, and some of these attack vectors will be covered in this article.
Platform-based attacks against the ecosystem of the blockchain-based DeFi ecosystem are becoming more common today. These kinds of attacks make use of flaws in the various web-based content or their frameworks to exploit sensitive data, such as financial or personal information. Hackers are always looking for new methods to take advantage of websites and the visitors to those services. An assault on the domain name server of a website is one of the most prevalent ways.
The Domain Name System (DNS) system converts domain names into IP addresses. When a user enters a URL, their browser queries their Internet Service Provider (a.k.a. ISP) for the site's IP address. When you try to browse a website, your browser automatically goes to its IP address, but the website doesn't know what it's called because it can't connect directly to it. The DNS server looks up which website name is associated with this IP address and returns that information to your browser, allowing it to connect directly to the website without going through your ISP.
Illustration of how DNS works
DNS is a hierarchical naming scheme used on the Internet for computers and other Internet-connected devices. It translates human-readable names into the numerical IP addresses that computers use to communicate over the network. A malicious actor attempts to manipulate the domain name system settings on your computer to gain your IP address by modifying what should be displayed when someone types in, say, "neptunemutual.com" instead of "www.neptunemutual.com" into their preferred browser.
When a user requests "neptunemutual.com" via a web browser, the text will be forwarded to this lookup database, which will then determine whether or not "neptunemutual.com" exists. If it does, the database will return its associated IP address, which will be used by the web browser to locate the server hosting the content.
If a hacker manages to break into the system, they may alter the DNS records in such a way that legitimate websites' addresses are redirected to malicious domains or their content is scrubbed from search engine results. Domain name hijacking is one of the common tactics used by hackers to divert users away from their intended target. This form of assault is known as a "front-end attack," since it happens when hackers obtain access to the area of your website that allows users to interact with it. In such a scenario, your content could be hacked and replaced with someone else's, or it could be completely removed!
Cream Finance and PancakeSwap both reported that DNS spoofers had compromised their websites in March 2021. As a result of the attack, the front-end websites for both protocols requested users to enter their seed phrase. If the phrase is entered, the attacker will be able to take control of the users' wallets and drain their funds.
In another scenario, BadgerDAO users lost approximately $120 million in a front-end attack in December of the same year when their API key for Cloudflare, a website security service, was compromised. The attacker injected a malicious script into Badger's front-end, intercepting transactions and requesting users to approve contracts controlled by the hacker.List of lost funds due to front end attacks, DNS hijacking, and other DNS based attacks
These attack vectors can be briefly described under the some of the following headings:
DNS spoofing, also known as DNS cache poisoning, involves redirecting visitors to a fake website that impersonates the intended destination by using altered DNS records. When users arrive at the fraudulent site, they are prompted to log in to their account, which allows the threat actor to steal access credentials as well as any sensitive information entered into the bogus login form. Furthermore, these malicious websites are frequently infected with viruses or worms on end users' computers, granting the threat actor full access to the machine and its contents.
Illustration of DNS poisoningIllustration of DNS spoofing
A DNS tunnel can be created by embedding other programs or protocol data in DNS queries and responses. In most cases, the malware comes with data payloads that can compromise a DNS server and grant attackers administrative access to the remote server and any programs running on it. DNS tunneling often relies on the external network connectivity of a compromised system, which provides a way into an internal DNS server with network access.
A DNS NXDOMAIN flood DDoS attack tries to overload the DNS server by sending a large number of requests for invalid or non-existent records. DNS proxy servers typically respond to these attacks by repeatedly querying the DNS authoritative server. As a result, both the DNS authoritative server and the DNS proxy server are occupied with invalid requests, causing the response time for valid requests to slow down until it eventually stops altogether.
Web3 users should double-check the addresses associated with every crypto transaction they conduct. Users' interfaces are being compromised even on reputable websites, resulting in invalid token approvals.
The team behind the project can protect their network from cache poisoning by enabling security settings in their DNS.
DNS Revolver can be kept private and secure by restricting its use to authorized internal users only, rather than the entire network.
Securely manage your DNS servers by hosting them in-house, through a service provider, or with the help of a domain registrar.
Our security team at Neptune Mutual can validate your platform for DNS and web-based security, as well as frontend and backend security. We can offer you a solution to scan your platform for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Subtle remediation strategies will be outlined in our guidelines, and changes to your existing platform can be adjusted instantly.
