Core Programs
| Program | What it Does | Address |
|---|---|---|
| Exponent Core | Strip yield assets, merge back, manage yield distributions. | ExponentnaRg3CQbW6dqQNZKXp7gtZ9DGMp1cwC4HAS7 |
| Exponent CLMM | Concentrated liquidity AMM — buy/sell PT and YT, provide liquidity | XPC1MM4dYACDfykNuXYZ5una2DsMDWL24CrYubCvarC |
| Exponent Orderbook | Limit order book — post offers at specific APY levels, market orders | XPBookgQTN2p8Yw1C2La35XkPMmZTCEYH77AdReVvK1 |
| Exponent Strategy Vaults |
Interface Programs
Each interface program handles wrapping/unwrapping for a specific yield source.| Program | Address |
|---|---|
| Generic | XP1BRLn8eCYSygrd8er5P4GKdzqKbC3DLoSsS5UYVZy |
| Kamino | XPK1ndTK1xrgRg99ifvdPP1exrx8D1mRXTuxBkkroCx |
| marginfi | XPMfipyhcbq3DBvgvxkbZY7GekwmGNJLMD3wdiCkBc7 |
| Jito Restaking | XPJitopeUEhMZVF72CvswnwrS2U2akQvk5s26aEfWv2 |
| Perena | XPerenaJPyvnjseLCn7rgzxFEum6zX1k89C13SPTyGZ |
Security Practices
Exponent takes protocol security seriously because it directly impacts users and the integrity of the protocol. Before any program or product is released on mainnet, Exponent’s core contributors put it through extensive internal testing and external review. In practice, security work often accounts for a significant share of the development effort. All major product launches and program upgrades also undergo third-party security reviews. Find Exponent’s audits here.Unit Testing
Hundreds of scenarios are tested to verify program behavior, catch regressions early, and make upgrades safer.
Stress Testing
Programs are tested under extreme conditions such as high volume, liquidity shocks, and rapid yield changes.
Security Testing
Penetration-style and integration-level testing help validate both instruction safety and cross-component behavior.
Real-Time Monitoring
Onchain activity is monitored to detect suspicious behavior and respond quickly to anomalies.
Guardrail Limits
Inflow and outflow limits add guardrails that can help contain damage in the unlikely event of a compromise.
Multisig Controls
Sensitive admin actions are governed through a multisig rather than a single key.
How Do These Measures Work
Unit tests
Unit tests
Unit tests simulate regular user activities to ensure the programs function as intended. They help catch and resolve bugs early, with the Exponent core contributors running hundreds of scenarios against each piece of code. This also makes future updates safer, as unit tests quickly reveal if changes in one part of the system affect others.
Stress tests
Stress tests
Stress tests push the protocol’s programs under extreme conditions to evaluate how they behaves during critical scenarios, including high transaction volume, sudden liquidity shifts, or rapid changes in implied yields.
Security tests
Security tests
Exponent employs various types of security tests to assess the robustness and soundness of its programs:
- Penetration tests simulate potential malicious interactions with Exponent’s smart contracts/programs, verifying that the instructions fail when inputs deviate from the expected parameters. This ensures the protocol can withstand attack vectors and prevents unauthorized actions or unexpected behaviors.
- Integration tests evaluate the flow and economics of Exponent’s programs by simulating multiple scenarios across components. They ensure that interactions within the protocol work correctly and that aspects like yield calculations, token minting, and trading flows remain accurate under diverse conditions.
Real-time monitoring
Real-time monitoring
Exponent constantly monitors onchain activity on the protocol to detect suspicious or anomalous behavior from potential attackers. This allows the core contributing team to proactively crush malicious attacks before they become serious.
Inflow and outflow limits
Inflow and outflow limits
While testing, monitoring, and security audits provide robust protection, no protocol can be completely bulletproof. To add an additional layer of security for users, Exponent implements inflow and outflow limits for each yield market (mint, redeem, liquidity, claiming yield).They act as guardrails in the unlikely event of a compromise, preventing an attacker from draining the protocol or manipulating a market. These limits are calculated based on historical outflows and are designed not to interfere with regular user activity.
Admin control under multisig
Admin control under multisig
Like many DeFi protocols on Solana, Exponent has mutable code and adjustable protocol parameters (e.g. program upgrades, fee settings, new markets). Rather than relying on a single private key, which poses a security risk as its compromise could directly impact user funds and protocol integrity, Exponent’s admin parameters are governed by a multisig of multiple core contributors. This also mitigates risk of insider attacks.For its multisig setup, Exponent uses Squads, the leading multisig infrastructure on Solana, which is formally verified and secures over $10B in value.