Audits & Security

1. Audits

• Audit report from BlockSec (Source)

• Audit report from PeckShield (Source)

• Audit report from Sherlock (Source)

2. Bug Bounty

ExtraFi runs a bug bounty program on ImmuneFi that rewards whitehats for reporting valid vulnerabilities in our code. You can find further information on this program here.

3. Proactive Monitoring

(The partnership has not yet been renewed in 2025, still in review)

We have partnered with Hexagate to protect the protocol from cyber exploits, hacks, governance, and financial risks.

4. Insurance

• Partnered with OpenCover. Users can buy covers for their ExtraFi positions through OpenCover, learn more here.

• Or, users can buy covers through the InsurAce app, learn more here.

5. Price Protection

Time-Weighted Average Price (TWAP) model is implemented in Extra Finance's smart contract to safeguard against abnormal price fluctuations and potential malicious price manipulation.

Chainlink price feed is also aggregated on Extra Finance, it is used to avoid abnormal price fluctuation.

Extra Finance on Chainlink Ecosystem | Every Chainlink integration and partnershipwww.chainlinkecosystem.com

6. Access Control

• No fund withdrawal function is designed for admin in smart contracts.

• Multi-sig authentication is implemented for contract configurations, such as parameters like protocol fee, liquidation threshold, reserve rate, etc.

• Upgrades on contract configurations are subject to a governance process, which includes a set of procedures and guidelines. This process involves multiple levels of review and approval from various stakeholders and serves to ensure transparency and consistency in managing changes to contract configurations.

• The 'owner' role of the EXTRA token contract has been invalidated, meaning that no further new mints are possible. (Verify Here)

7. Risk Control

To mitigate the risk of lenders facing potential bad debt during market volatility and safeguard leveraged users from possible liquidations due to inadequate liquidity, Extra Finance has instituted a series of measures to list farming pools. These measures necessitate that these pools meet vital liquidity thresholds. Additionally, when configuring leveraged farming pools, careful consideration will be given to the following factors:

• Price Stability: The TVL of a liquidity pool, combined with the stability of the underlying assets' prices, will play a pivotal role in determining the maximum allowable leverage factor for a specific farming pool.

• Asset Credibility: Assets that are new to the market or possess lower credibility will be subject to restrictions on

  • The maximum leverage factor

  • The maximum value (or 'credit') that a leveraged pool can borrow from lending pools (This is why there are instances when users cannot open new positions, even if there are still assets available in the lending pools)

  • A lower debt ratio can be subject to liquidation, this implies that emerging asset liquidity pools could experience earlier liquidation compared to more established mainstream pools.

• Liquidity Proportion: To enhance liquidation safety, if the liquidity proportion sourced from ExtraFi exceeds a threshold (typically 30%), we may temporarily disable leverage for opening new positions until the proportion decreases. (Disabling leverage does not mean de-listing; it is a precautionary risk control measure.)

References:

1. https://github.com/blocksecteam/audit-reports/blob/main/solidity/blocksec_extrafinance_v1.0-signed.pdf

2. https://github.com/peckshield/publications/tree/master/audit_reports/PeckShield-Audit-Report-ExtraFi-v1.0.pdf

3. https://github.com/sherlock-protocol/sherlock-reports/blob/main/audits/2024.12.01%20-%20Final%20-%20Extra%20Finance%20Audit%20Report.pdf