Exponent takes protocol security very seriously as it directly impacts users. Before releasing any program/product to the public on mainnet, Exponent’s core contributors take extensive precautions to reduce risks. More lines of code are often written for testing program security than for the program itself. Additionally, every major product launch or program upgrade undergoes third-party security reviews to catch any bugs or vulnerabilities that Exponent’s core contributors might have missed. All Exponent audits can be found here. Here are a few of the several measures Exponent employs to ensure the protocol adheres to the strongest security practices in the industry:

Unit tests

Unit tests simulate regular user activities to ensure the programs function as intended. They help catch and resolve bugs early, with the Exponent core contributors running hundreds of scenarios against each piece of code. This also makes future updates safer, as unit tests quickly reveal if changes in one part of the system affect others.

Stress tests

Stress tests push the protocol to its limits under extreme conditions to assess how the Exponent protocol would perform during critical scenarios. This includes testing how the protocol behaves under high transaction volume, sudden liquidity shifts, or rapid changes in implied yields, for instance.

Security tests

Exponent employs various types of security tests to assess the robustness and soundness of its programs:
  • Penetration tests simulate potential malicious interactions with Exponent’s smart contracts/programs, verifying that the instructions fail when inputs deviate from the expected parameters. This ensures the protocol can withstand attack vectors and prevents unauthorized actions or unexpected behaviors.
  • Integration tests evaluate the flow and economics of Exponent’s programs by simulating multiple scenarios across components. They ensure that interactions within the protocol work correctly and that aspects like yield calculations, token minting, and trading flows remain accurate under diverse conditions.

Real-time Monitoring

Exponent constantly monitors onchain activity on the protocol to detect suspicious or anomalous behavior from potential attackers. This allows the core contributing team to proactively crush malicious attacks before they become serious.

Inflow/outflow limits

While testing, monitoring, and security audits provide robust protection, no protocol can be completely bulletproof. To add an additional layer of security for users, Exponent implements inflow and outflow limits for each yield market (mint, redeem, liquidity, claiming yield). They act as guardrails in the unlikely event of a compromise, preventing an attacker from draining the protocol or manipulating a market. These limits are calculated based on historical outflows and are designed not to interfere with regular user activity.

Admin control under multisig

Like many DeFi protocols on Solana, Exponent has mutable code and adjustable protocol parameters (e.g. program upgrades, fee settings, new markets). Rather than relying on a single private key—which poses a security risk as its compromise could directly impact user funds and protocol integrity—Exponent’s admin parameters are governed by a multisig of multiple core contributors. This also mitigates risk of insider attacks. As the protocol matures, external ecosystem members will gradually be added to the multisig. For its multisig setup, Exponent uses Squads — the leading multisig infrastructure on Solana, which is formally verified and secures over $10B in value.