Are Exolane Smart Contracts Audited?
Yes. Exolane's smart contracts have been audited 7 times by two independent security firms: 6 audits by Sherlock and 1 by Zellic. The audits cover the core protocol, oracle integration, collateral system, liquidation logic, funding rate math, position management, vault contracts, and access controls. All critical and high-severity findings were fixed and verified by auditors.
Exolane's contracts are based on the Perennial V2 codebase. The audits listed below were conducted on this codebase across its evolution from V2 through V2.4. Audits reduce risk but do not eliminate it — undiscovered vulnerabilities may exist even in audited code.
Audit Timeline
| Date | Auditor | Version | Focus |
|---|---|---|---|
| Aug 2023 | Sherlock | V2 | Core Protocol |
| Aug 2023 | Zellic | V2 | Core Contracts |
| Sep 2023 | Sherlock | V2 Fix | Issue Remediation |
| Oct 2023 | Sherlock | V2.1 | Protocol Updates |
| Mar 2024 | Sherlock | V2.2 | Protocol Updates |
| Aug 2024 | Sherlock | V2.3 | Protocol Updates |
| Feb 2025 | Sherlock | V2.4 | Protocol Updates |
What Was Audited
Finding Resolution
All critical and high-severity findings across all audits were:
- Acknowledged by the development team
- Fixed in subsequent code versions
- Verified by the auditing firm in follow-up reviews
Fix review audits (like the September 2023 Sherlock review) were specifically conducted to verify that previously identified issues were properly resolved.
About the Auditors
Sherlock (6 audits)
Sherlock combines traditional expert-led audits with decentralized security contests. They have secured hundreds of DeFi protocols and provide ongoing coverage.
Zellic (1 audit)
Zellic specializes in adversarial security research for complex financial protocols. They perform deep manual code review combined with automated analysis.
Important: Limitations of Audits
Audits do not guarantee security. They reduce risk but cannot eliminate it entirely. Specific limitations:
- Auditors may miss vulnerabilities — no audit catches everything
- Code changes after an audit may introduce new bugs
- Economic attacks and oracle manipulation may not be fully covered
- Exolane's contracts use upgradeable proxies — implementation code can change through governance
Read How to Read a DeFi Audit Properly for a guide on evaluating audit reports.
Where to Find the Reports
- Documentation: Audits page — full list with download links
- GitHub: exolanedex — audit reports in the repository
- Documentation — all contract addresses, audit links, and Arbiscan links in one place
What You Should Verify Yourself
- Download and read the audit reports — don't just take our word for it.
- Check that the deployed contract bytecode matches the audited source (contracts are verified on Arbiscan).
- Review the finding severity breakdown — look for any unresolved issues.
- Check the dates — are the audits recent enough relative to the deployed code?
- Understand that upgradeable proxies mean the implementation can change. Monitor the TimelockController for pending changes.