|
| 1 | +--- |
| 2 | +description: Powering onchain credit, debit and lending in the Exa App |
| 3 | +icon: robot |
| 4 | +--- |
| 5 | + |
| 6 | +# Exa Plugin |
| 7 | + |
| 8 | +## Overview |
| 9 | + |
| 10 | +The Exa Plugin is a modular smart contract designed exclusively for the Exa App, providing seamless interaction with the Exactly Protocol. This integration enables users to borrow, lend, and manage credit and debit transactions through a self-custodial smart account. By leveraging ERC-6900 modular accounts, the Exa Plugin ensures a smooth DeFi experience, automating key financial operations while maintaining security and efficiency.  |
| 11 | + |
| 12 | +[Quantstamp](https://quantstamp.com/) audited the Exa Plugin to verify its adherence to high-security standards. By integrating this plugin, Exa App users can:\ |
| 13 | + |
| 14 | + |
| 15 | +* Deposit collateral and take loans within Exactly Protocol. |
| 16 | +* Execute credit or debit transactions without constant manual approvals. |
| 17 | +* Automate key lending and borrowing processes using a structured role system. |
| 18 | + |
| 19 | +### Key Characteristics: |
| 20 | + |
| 21 | +* Automated lending and borrowing: The plugin facilitates collateral management and repayments through Exactly Protocol without requiring user intervention for each action. |
| 22 | +* WebAuthn integration: Users authenticate transactions using biometrics, eliminating the need for seed phrases. |
| 23 | +* Keeper role automation: The keeper bot assists in executing operations like enabling collateral, processing loans, managing repayments, and handling proposals. |
| 24 | + |
| 25 | +### Roles and Responsibilities |
| 26 | + |
| 27 | +The Exa Plugin defines specific roles to enforce structured execution logic, ensuring secure and automated transactions. |
| 28 | + |
| 29 | +**Admin Role (DEFAULT\_ADMIN\_ROLE)** |
| 30 | + |
| 31 | +The admin role is designed to manage critical plugin settings and role assignments. |
| 32 | + |
| 33 | +Key functions: |
| 34 | + |
| 35 | +`setIssuer()` – Assigns the issuer responsible for transaction approvals. |
| 36 | + |
| 37 | +`setOperationExpiry()` – Configures the expiry time for transaction authorization. |
| 38 | + |
| 39 | +`setPrevIssuerWindow()` – Defines the time window for recognizing previous issuers. |
| 40 | + |
| 41 | +grantRole(role), setFlashLoaner, setCollector, setProposalManager,setSwapper, allowPlugin |
| 42 | + |
| 43 | +**Keeper Role (KEEPER\_ROLE)**  |
| 44 | + |
| 45 | +The KEEPER\_ROLE is assigned to an automated entity responsible for executing transactions that require protocol enforcement. This role interacts with Exactly Protocol’s lending pools and ensures credit-related actions comply with liquidity constraints and proposal validations. |
| 46 | + |
| 47 | +Functions restricted to KEEPER\_ROLE: |
| 48 | + |
| 49 | +`collectCredit()` – Executes on-chain borrowing for credit transactions. |
| 50 | + |
| 51 | +`collectCollateral()` – Moves collateral from external markets into Exactly Protocol. |
| 52 | + |
| 53 | +`collectInstallments()` – Processes installment-based credit repayments. |
| 54 | + |
| 55 | +`collectDebit()` – Handles direct debit operations to repay borrowed amounts. |
| 56 | + |
| 57 | +`poke() / pokeETH()` – Marks assets as collateral and updates liquidity status. |
| 58 | + |
| 59 | +`repay() / crossRepay()` – Facilitates repayment and refinancing of loans. |
| 60 | + |
| 61 | +`executeProposal()` – Executes time-locked proposals submitted by the user. |
| 62 | + |
| 63 | +These functions enforce risk management mechanisms, prevent unauthorized withdrawals, and ensure the proper execution of credit-related workflows. |
| 64 | + |
| 65 | +**Issuer Role (IssuerChecker)** |
| 66 | + |
| 67 | +The issuer is responsible for validating and authorizing transactions within the Exa Plugin. This role ensures that credit transactions and refunds are approved before execution, enforcing additional security measures. |
| 68 | + |
| 69 | +The issuer operates through the IssuerChecker contract, which verifies and signs operations related to credit payments and refunds. |
| 70 | + |
| 71 | +The issuer is responsible for: |
| 72 | + |
| 73 | +`checkIssuer()` – Verifies that a credit or refund transaction is properly signed and authorized. |
| 74 | + |
| 75 | +### Core Smart Contracts |
| 76 | + |
| 77 | +The Exa Plugin consists of multiple smart contracts, each playing a crucial role in enabling lending, credit payments, and refunds. |
| 78 | + |
| 79 | +**1. Exa Account Factory (ExaAccountFactory.sol)** |
| 80 | + |
| 81 | +This contract creates and initializes modular accounts for users, integrating both the WebAuthn owner plugin and the Exa Plugin. |
| 82 | + |
| 83 | +Deploys accounts with pre-configured plugins for WebAuthn authentication and on-chain lending. |
| 84 | + |
| 85 | +Uses `donateStake()` to add stake in the EntryPoint contract. |
| 86 | + |
| 87 | +Handles the initialization of accounts, ensuring all required plugins are installed. |
| 88 | + |
| 89 | +**2. Exa Account Interface (IExaAccount.sol)** |
| 90 | + |
| 91 | +Defines the core lending, repayment, and proposal functions used by the Exa Plugin. |
| 92 | + |
| 93 | +Supports borrowing, collateral management, token swaps, and repayments. |
| 94 | + |
| 95 | +Implements liquidity and risk management constraints. |
| 96 | + |
| 97 | +Introduces a proposal system to delay execution and validate intent. |
| 98 | + |
| 99 | +**3. Installments Previewer (InstallmentsPreviewer.sol)** |
| 100 | + |
| 101 | +A read-only contract that calculates expected loan installments based on market conditions. |
| 102 | + |
| 103 | +Fetches floating and fixed-rate borrowing data from Exactly Protocol. |
| 104 | + |
| 105 | +Evaluates utilization rates for risk assessment. |
| 106 | + |
| 107 | +Helps users preview their installment plans before borrowing. |
| 108 | + |
| 109 | +**4. Issuer Checker (IssuerChecker.sol)** |
| 110 | + |
| 111 | +Handles issuer validation and transaction approval.\ |
| 112 | +Uses ECDSA signature verification to authenticate transactions. |
| 113 | + |
| 114 | +Maintains an operation expiry window to prevent replay attacks. |
| 115 | + |
| 116 | +Ensures only authorized issuers can approve transactions. |
| 117 | + |
| 118 | +**5. Refunder (Refunder.sol)** |
| 119 | + |
| 120 | +Processes approved refunds for users. |
| 121 | + |
| 122 | +Interacts with Exactly Protocol to deposit refunded assets. |
| 123 | + |
| 124 | +Uses IssuerChecker to validate refund requests. |
| 125 | + |
| 126 | +Implements role-based access control to restrict refund execution. |
| 127 | + |
| 128 | +Security Considerations\ |
| 129 | + |
| 130 | + |
| 131 | + |
| 132 | +* Restricted function execution: Only approved functions can interact with the Exactly Protocol.\ |
| 133 | + |
| 134 | +* Proposal-based withdrawals: Ensures sufficient collateral remains locked before allowing withdrawals.\ |
| 135 | + |
| 136 | +* Execution hooks: Enforces execution logic through runtime validations and prevents unauthorized calls.\ |
| 137 | + |
| 138 | +* Plugin allowlist: Only approved plugins can be installed or swapped, reducing attack vectors.\ |
| 139 | + |
| 140 | +* Flash loan risk protection: Credit repayment with flash loans is validated atomically to avoid misuse. |
| 141 | + |
| 142 | +### [Exa Plugin GitHub repository](broken-reference) |
| 143 | + |
| 144 | +### [Exa Plugin Audit](https://github.com/exactly/audits/blob/main/Quantstamp%20Exa%20App%20Plugin%20\(Mar-25\).pdf) |
| 145 | + |
0 commit comments