Exactly Protocol Periphery Exploit

On August 18, 2023, the Optimism-based lending protocol Exactly Protocol was exploited for approximately $7.3 million in ETH. The bug was in the DebtManager periphery contract — specifically, the leverage() function that accepted both a market contract address and a permit signature as inputs and validated neither. 117 user accounts had their deposits drained. The protocol's TVL fell from $37M to $11.74M — a 70% decline — within hours.

What happened

Exactly's main lending markets were rigorously audited; the periphery contracts surrounding them — utility contracts that helped users perform multi-step operations like leveraged borrowing — were originally out of scope. The DebtManager was one such periphery contract.

The leverage() function on DebtManager accepted:

• A market parameter identifying which Exactly market to interact with.
• A permit signature authorising token transfers on the user's behalf.

The function used these inputs to perform a series of operations that ultimately moved value from the user's existing positions in legitimate Exactly markets. The fatal flaw: neither parameter was validated:

• The market parameter was accepted as-is, so an attacker could pass the address of a fake market contract they had deployed.
• The permit was processed through standard ERC-2612 logic, but the function didn't verify that the permit had been signed for the correct purpose or by the legitimate market participant.

The attacker:

1. Deployed a fake "market" contract that implemented the expected interface but did whatever the attacker wanted internally.
2. Forged a permit for the operation — the permit's signature was technically valid for the function call, but its semantics did not match a legitimate Exactly leverage operation.
3. Called leverage() with both inputs — the function used the fake market's responses to control how value was moved between Exactly's legitimate contracts, ultimately routing user collateral to the attacker.

Drained from 117 accounts for a total of ~$7.3M.

Aftermath

• Exactly paused the protocol within hours, following its emergency-procedure runbook.
• The team publicly re-engaged ABDK, the original auditor, for a fresh round of audits — this time including periphery contracts that had been excluded from the original audit scope.
• A reimbursement plan was launched, funded from protocol revenue and team reserves.
• The stolen funds were laundered through Tornado Cash; no public recovery.

Why it matters

Exactly Protocol's incident is one of the clearest cases for audit scope as a security control in its own right. The lending markets were correctly audited and worked as designed. The bug was in the contracts that talked to the markets — periphery code that the team had deployed to improve UX but that was not under the same security rigour as the core protocol.

The structural lessons:

1. Periphery contracts are part of the protocol's attack surface even when they don't hold user funds directly. If a periphery contract can move user funds via permits or approvals, it has the same security requirements as the core.

2. Audit scope must be explicit about what's not covered — and any contract excluded from audit should be excluded from production deployment until it has its own dedicated review.

3. Permit signatures are a powerful primitive that requires careful semantic validation — a valid ERC-2612 permit signature doesn't tell you why the signer authorised the operation, only that they signed some operation. Any function that consumes permits must validate that the permit's parameters match its intended purpose.

Exactly Protocol's response — re-engaging the original auditor with expanded scope — has become a recurring pattern in post-incident remediation across DeFi. The lesson, paid for in the affected users' $7.3M, is the right one even if the cost was high.