[EXAIP-09] IRM v2, Second Audit

Exactly Protocol: Smart Contract Security, Optimisation and Best Practice Audit

Summary

A proposal to utilize Hashlock as the second auditor for the recent Exactly Protocol Interest Rate Model Upgrade (IRM v2). The first audit has been conducted by ABDK in February 2024.

Background

Exactly’s mission is decentralizing the credit market, making DeFi and its numerous benefits accessible to a broader audience. At Exactly, users can make a deposit or a loan at a fixed rate for a certain period of time, which is known in the traditional financial world as "fixed income". That way, users will have an efficient means to hedge the interest rate volatility.

About Hashlock

Hashlock is a leading independent blockchain cybersecurity and smart contract auditing firm, started within Australia, serving clients globally. We are a highly specialised Blockchain Cybersecurity firm - coming from academic manual analysis, community auditing backgrounds, and white hat hacking - differentiating by the quantity of findings and being maintaining a high level of collaboration with our clients. Due to the high quality, Hashlock has been featured on CoinmarketCap as the best smart contract auditor (https://coinmarketcap.com/community/articles/64b502a267e6733dca684dd0/).

We also run trustedweb3.io, a one stop information hub for all things Blockchain Cybersecurity and a recognition of security focused industry stakeholders.

By getting the same piece of code re-audited, Exactly Protocol benefits from having different auditor perspectives, as it secures greater levels of review-quality and increases the confidence in the code and protocol confidence. Every auditor has their own styles, as auditing is an artform, hence the different perspectives and attack vectors being covered.

Proposal

Proposal

Hashlock is to prepare works for the following: a) A comprehensive report detailing the contracts security and efficiency, found via methods including; • Manual line-by-line code review • Manual penetration testing • Simulated Protocol interactions • Software tool analysis • SWC-Registry vulnerability Testing • Specification to function matching • Optimisation and code convention checks • Code analysis, static security analysis, penetration and exploitation, vulnerability identification, and recommendations on resolving issues. b) Pre Audit Research and context finding. c) Communication with the smart contract developer around our findings and recommendations. d) Preliminary Report, Communication with you around our findings and recommendations. e) Creation and provision of marketing graphics to use as social and website certification.

Hashlock takes into consideration all preliminary documentation, content, profit & overheads associated with this project.

Scope: Exactly Protocol: https://github.com/exactly/protocol The scope covers the recent changes in the repo's below:

• Contracts - Auditor.sol - InterestRateModel.sol - Market.sol - MarketETHRouter.sol - PriceFeedDouble.sol - PriceFeedPool.sol - PriceFeedWrapper.sol - RewardsController.sol • Utils - FixedLib.sol • Periphery - EXA.sol - Airdrop.sol

Benefits

Besides of the previously explained benefits of several auditors combing through the same code, aligning with Hashlock is not just about unparalleled security, it's also about brand prestige. By partnering with us, we have the ability to promote that Exactly Protocol have undergone an audit from an independent Blockchain Cyber Security firm. Hashlock’s Audit Reports are human readable to a non technical audience, and will in this case be made public after vulnerabilities are resolved, to educate the public in an article style content piece. At the client's discretion, Hashlock often promotes completed audits via industry body partners, social media, and other means.

Compensation and timeline

Hashlock charges a fee of $5,000 EXA to conduct the audit, create and deliver the report and communicate our findings. Hashlock envisages a timeline of 14 days to finalise the preliminary report, with a start date on the 11th of March, following the approval of this proposal.

The EXA tokens will be received during the 14 days period, whereafter the preliminary report is shared.