Verify a decision

{"actor":"system:backfill","investigation_id":"6cabadc3-8ceb-411b-bb9c-4948459cefc0","kind":"publish","page_slug":"exactly","published_at":"2026-05-28T15:02:26.153Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Exactly Protocol","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://rekt.news/exactly-protocol-rekt/","type":"other","url":""},{"credibility":3,"name":"https://www.coindesk.com/business/2023/08/18/crypto-lender-exactly-hit-by-12m-bridge-exploit","type":"other","url":""},{"credibility":3,"name":"https://www.halborn.com/blog/post/explained-the-exactly-protocol-hack-august-2023","type":"other","url":""},{"credibility":3,"name":"https://immunebytes.com/blog/defi-exactly-protocol-hack-analysis/","type":"other","url":""},{"credibility":3,"name":"https://medium.com/neptune-mutual/how-was-exactly-protocol-exploited-5ecfa5ad968b","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.halborn.com/blog/post/explained-the-exactly-protocol-hack-august-2023","type":"other","url":""},{"credibility":3,"name":"https://immunebytes.com/blog/defi-exactly-protocol-hack-analysis/","type":"other","url":""},{"credibility":3,"name":"https://olympix.security/blog/exactly-protocol-lost-7-3m-the-code-worked-the-assumptions-didnt","type":"other","url":""},{"credibility":3,"name":"https://rekt.news/exactly-protocol-rekt/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://medium.com/@exactly_protocol/exactly-protocol-recap-4-e58db6dca618","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.com/news/exactly-protocol-announces-700000-bounty-for-information-hacker/","type":"other","url":""},{"credibility":3,"name":"https://www.pymnts.com/cryptocurrency/2023/crypto-market-exactly-protocol-targeted-in-12-million-hack/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://medium.com/@exactly_protocol/exaip-03-addressing-the-exactly-protocol-hack-and-compensating-affected-users-6e2cd4a0a179","type":"other","url":""},{"credibility":3,"name":"https://medium.com/@exactly_protocol/exactly-protocol-report-q4-2023-5ab2e0838c77","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.crunchbase.com/person/gabriel-gruber","type":"other","url":""},{"credibility":3,"name":"https://rocketreach.co/gabriel-gruber-email_732721","type":"other","url":""},{"credibility":3,"name":"https://www.rootdata.com/member/Gabriel%20Gruber?k=OTA5Mw%3D%3D","type":"other","url":""},{"credibility":3,"name":"https://immunefi.com/bounty/exactly/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://gov.optimism.io/t/exactly-protocol-and-the-exa-app-scaling-onchain-finance-on-optimism/9962","type":"other","url":""},{"credibility":3,"name":"https://medium.com/@exactly_protocol/connecting-the-dots-the-exactly-protocol-and-the-exa-app-f9579ad74c67","type":"other","url":""},{"credibility":3,"name":"https://medium.com/@exactly_protocol/scaling-the-dots-44634b918b2f","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/exactly","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://zachxbt.mirror.xyz/","type":"other","url":""},{"credibility":3,"name":"https://t.me/investigations","type":"other","url":""}]}],"sources_used":[],"summary":"Exactly Protocol is a decentralized, non-custodial fixed-rate and variable-rate lending protocol deployed on the Optimism Layer 2 network. On August 18, 2023, the protocol suffered a critical exploit resulting in approximately $7.3–$12 million in ETH stolen from 117 user accounts due to insufficient input validation in its DebtManager periphery contract. The protocol has since resumed operations, engaged law enforcement, offered a $700,000 bounty, and passed a governance proposal to compensate affected users with EXA tokens.","timeline":[{"date":"2021-07-01","event":"Exactly Protocol founded by Gabriel Gruber and Lucas Lain under Exa Labs.","source":""},{"date":"2022-11-01","event":"Exactly Protocol launched on Ethereum Mainnet.","source":""},{"date":"2023-03-01","event":"Exactly Protocol deployed on Optimism Layer 2 network.","source":""},{"date":"2023-08-18","event":"Exploit executed via malicious market address in DebtManager contract; approximately $7.3–$12 million in ETH stolen from 117 user accounts. Protocol temporarily paused. EXA token fell over 12%.","source":""},{"date":"2023-08-19","event":"Protocol published post-mortem identifying DebtManager vulnerability. $700,000 bounty announced for information leading to attacker arrest and fund recovery.","source":""},{"date":"2023-09-01","event":"Protocol team contacted US Department of Homeland Security; HSI opened case NY02HR23NY0001. Chainalysis engaged to trace stolen funds.","source":""},{"date":"2023-09-01","event":"ABDK Consulting completed audit of remediated DebtManager contract; Strategies section of web app re-enabled.","source":""},{"date":"2023-10-01","event":"EXAIP-03 governance proposal approved; one million EXA tokens allocated as compensation to 117 hack victims, with 48-month linear vesting beginning June 2024.","source":""},{"date":"2024-06-01","event":"Vesting of EXAIP-03 compensation tokens commenced via Sablier NFTs for affected users.","source":""},{"date":"2025-02-01","event":"Exactly Protocol announced partnership with Uphold fintech platform to integrate Exa Credit Card and Exa Loans.","source":""},{"date":"2025-03-01","event":"Exa App launched to general users in 160+ countries, enabling crypto-backed credit cards and fixed-rate lending.","source":""}]},"v":1}