ReputaREPUTA
← Nexus Mutual
Product analysis · Native Protocol Cover: Teller

Teller protocol cover,
coverage and gaps.

In plain words

The team buys one cover for everyone using the listed contracts. It pays on a hack of exactly those contracts, minus 5% of the cover amount, and the payout has to be passed on to users or the cover is void.

Teller is a lending protocol built around an open order-book model, where lenders set their own criteria and commit capital to markets rather than relying on a single pooled rate. Nexus lists a Native Protocol Cover for it: the product type where the team buys one cover and its users are the protected party, with the wording obliging the team to pass a recovery on. This is currently the only active listing of that type on Nexus. Its annex is the most precise in the whole set: it names each covered contract and pins them to a specific GitHub commit. This analysis reads that annex and checks the fit. Facts, not advice.

71/100 Solid fit

Who this is for: The Teller team, protecting its USERS (lenders and borrowers on the covered contracts) against a smart contract failure

The strongest structure for users in the entire team family, and the one with the sharpest edges. Two things set it apart. First, the base wording does the work no annex can: clause 10.12 makes the recovery the users property, so a team keeping the payout voids the cover, and the proof of loss shifts from per-wallet signatures to a team post-mortem, which is what actually happens after an exploit. Second, the annex is unusually rigorous: it lists every covered contract by name and pins the covered version to GitHub commit 38c87ae, and states that the cover cannot be applied in part or whole to any contract outside that list. That is verifiable scope, which is rare. The same rigour is the risk. A pinned commit ages: any contract deployed or upgraded after it, and any market or peripheral contract not on the list, is outside the cover, and a lending protocol is a moving target. Add clause 10.11, which excludes losses caused by the team using its own admin controls, including pausing, and you have a cover that is excellent against the clean case (a bug in a listed contract at the pinned version) and thin against the messy one (an incident spanning newer code, or one where the team intervenes to limit damage). At a fixed 4.05% per year with a 5% deductible, it is also the most expensive of the four team listings, which fits the peril but should be a conscious decision.

Data confidence: medium · Assessment as of 2026-07-19 · Methodology: Assecura Score

How to read this page: where each value comes from

On-chain Read from contracts, verifiable by anyone at any time.
Contract doc From a binding written document, off-chain but checkable.
Provider claim Stated by the provider, off-chain: a matter of trust.
Third party From a third-party source, off-chain: a matter of trust.
Our assessment Our judgement under the Assecura methodology.

Only on-chain values are verifiable without trusting anyone. Everything off-chain, including binding documents, ultimately relies on trust in the source.

Live on-chain On-chain

Reading the chain…

Profile

Provider Nexus Mutual (see provider profile for legal nature, claims, capital) Our assessment
Product Teller Native Protocol Cover Terms plus a dedicated annex (read here from IPFS). Private and fixed-price Contract doc
Who is protected The protocol users: under the Native Protocol Cover wording, cover bought without user knowledge or a recovery not intended for the users is void (clause 10.12) Contract doc
Covered protocol Teller: order-book style DeFi lending, with lenders committing capital under their own criteria via TellerV2 and the lender commitment contracts Provider claim
Covered contracts Named individually in the annex: Collateral Manager, CollateralEscrowV1, Smart Commitment Forwarder, TellerV2 (with TellerV2Context, TellerV2 Storage, V2Calculations), Market Registry, LenderCommitmentGroup_Smart (with UniswapPricingLibrary), LenderCommitmentGroupShares and LenderCommitmentGroup_Pool_V2 Contract doc
Version pinned The covered version of those contracts is the one at GitHub commit 38c87ae, per the annex Contract doc
Deductible 5% of the cover amount (per annex) Contract doc
Price & assets Fixed 4.05% per year; cover assets ETH, USDC and cbBTC Provider claim

A pinned commit is the best and the most brittle scope definition there is: Most cover wordings describe the covered system in prose, which leaves room to argue after an incident. This annex does the opposite: it names nine contracts and fixes their covered version to a single commit hash, and it says explicitly that the cover cannot be extended in part or in whole to anything outside that list. Anyone can verify the scope in an afternoon, and after an exploit there is little to dispute about whether the affected contract was in it. The cost of that precision is that the protocol keeps moving and the commit does not. A contract redeployed after an upgrade, a new market, a peripheral helper, a fix shipped in response to an audit: each one sits outside the pinned version unless the annex is updated. So the question to ask about this cover is never just "is there cover", it is "does the deployed code still match the commit the cover was written against".

What is covered Contract doc

The Native Protocol Cover wording plus the Teller annex. The covered event is a loss of user funds caused by a failure of the listed contracts at the pinned version, above a deductible of 5% of the cover amount.

Real-risk fit

Main risk: Exploit of a listed Teller contract at the pinned version covered

The single risk most likely to hurt here is inside the cover.

1 covered 3 conditional 4 excluded ringed = main risk
Does it fit you?

Pick what you actually want protection from; the list below highlights your answer. Runs in your browser only, nothing is sent.

Even "covered" is not a payment guarantee: every claim is decided by the mutual's members (claims assessors). A risk not listed here is most likely not part of the wording at all. No advice.

Pick your risks above and only those appear here, with the verdict: covered or not.

Conditions attached Contract doc

Wording Teller Native Protocol Cover Terms plus the annex read here from IPFS; the annex sets the deductible and the exact covered contracts
Deductible 5% of the cover amount
Scope limit Strictly limited to the designated contracts; the annex rules out applying the cover in part or in whole to anything outside that list
Covered version The contracts as at GitHub commit 38c87ae in the Teller Protocol repository
Pass-through duty Clause 10.12: the recovery must be intended for the users; a team keeping the payout voids the cover
Access Private (isPrivate) and fixed-price at 4.05% per year, drawing on five Nexus staking pools

Who decides on claims Provider claim

Same core process as every Nexus claim (Claims Committee, assessor voting), but the Native Protocol Cover type changes the practical part: the proof of loss is a team post-mortem with transaction references rather than per-wallet cryptographic evidence, which is far more workable after a protocol-wide exploit. The pinned contract list also narrows what has to be argued: whether the failing contract was in scope is close to a factual question here rather than an interpretive one. No Teller claim is on record.

Assecura Score Our assessment

A structured assessment across seven categories, 0 to 100 points in total. The score is an opinion based on the sources below, not a probability of payout and not a guarantee.

Note: this product is bought by a protocol team, not by end users. We therefore score it with our team rubric, which asks the questions a team asks. The most important one: if disaster strikes, does the money actually reach the users? Compare this score only with other team products, not with the retail list.

Premium cross-check
Assecura score 71/100 Solid fit
vs
Market premium 4.05%/yr high risk · snapshot
The market prices more risk than the cover rating alone shows. That risk usually sits in the covered protocol, not in the cover quality.

The premium is the underwriters price verdict: mainly how likely a claim is. The Assecura score measures how good the cover is: fit, clarity, capital, claims. Where they diverge, look twice.

Coverage clarity & scope control 17/20

The best scope definition in the set: nine contracts named individually, the covered version pinned to a commit hash, and an explicit statement that nothing outside the list is covered. Anyone can verify it. Deduction: the pinned commit ages with every upgrade, and the annex does not say how or whether it is refreshed.

Capital & payout capacity 16/20

Same shared pool as the provider profile, on-chain verifiable, live above. Better spread than the slashing umbrellas: capacity is drawn from five staking pools rather than one, so a payout does not depend on a single pool manager.

Claims process & incident fit 11/15

The best incident fit of any team product here: one cover for all users, post-mortem-based proof of loss instead of per-wallet signatures, and a scope so precise that the in-or-out question is largely factual. Minus: untested, and clause 10.11 penalises exactly the intervention an incident calls for.

User outcome 11/15

The builder question: does the payout reach the protocol users? Clause 10.12 answers it structurally, and this is the only listing in the live team set where that is true: the recovery must be intended for the users or the cover is void, so the team is a trustee, not the owner. Deduction: how distribution works in practice and who verifies it is untested.

Governance & conflicts 5/10

Nexus side unchanged. Team side: the same admin controls that make 10.11 bite are also what a team needs to respond to an attack, so the wording puts the team in a conflict at the worst possible moment. Whether the annex is kept current after upgrades is likewise entirely the team decision.

Legal enforceability (inherited) 3/10

Discretionary cover, no enforceable claim: identical to the provider profile. For teams the 10.12 void condition adds a further way to lose the cover entirely.

Transparency to users 8/10

The strongest here: the annex is public, the covered contracts are named, the version is a verifiable commit, and the active cover amount is visible via the Nexus API. Reduced because a user still cannot see whether the deployed code matches the pinned commit today, which is the fact that decides whether the cover applies.

Total 71/100 · Solid fit

Red flags Our assessment

01

Clause 10.11 excludes losses caused by the team using its own admin controls, including pausing: the standard incident response can put the loss outside the cover.

02

The covered version is pinned to commit 38c87ae: contracts upgraded or deployed after it are not covered unless the annex is refreshed, and nothing surfaces that state to users.

03

Bad debt is not covered: the everyday risk of a lending protocol, a borrower defaulting or collateral falling short, is credit risk and stays with the lender.

04

Payout remains discretionary: the loss is decided by assessor voting, so the provider-level warning applies unchanged.

05

Clause 10.12 voids the cover if the recovery is not intended for the users: strong protection for users, and a real way for a team to lose everything by mishandling the payout.

06

Most expensive of the four team listings at a fixed 4.05% per year plus a 5% deductible: the cost of covering active smart contract risk rather than a rare tail event.

Open questions Our assessment

Points this analysis could not verify. Anyone buying significant cover should clarify these first.

Sources

Analysis as of 2026-07-19. Live figures update every 5 minutes from the contracts. Not affiliated with Native Protocol Cover: Teller. Informational only, no legal, investment or insurance advice.