(HAL-01) LACK OF TRANSFEROWNERSHIP PATTERN Transfer-accept ownership pattern implemented in commit 52ccfde (HAL-02) THE CALLER CAN NOT SPECIFY THRESHOLD TO SPECIFY BOUNDS FOR THE TRADE SUCCEEDING Since the trade is with a counterparty, and there is no scope for the order amount to change since it's submitted by the taker, the order will either fail or succeed depending on the taker amount passed as a parameter. This can be calculated up front without needing to pass in a slippage tolerance or any bounds. In the case of a partial fill, the amount can also be calculated up front. (HAL-03) POSSIBLE ROUNDING ERROR CAN CAUSE TO ADDITIONAL ASSET TAKE OVER Rounding is done to favor the maker. For fees, rounding is done to favor the user. (HAL-04) USE OF ECRECOVER IS SUSCEPTIBLE TO SIGNATURE MALLEABILITY

(HAL-01) Floating Pragma All the relevant contracts are now fixed to a 0.5.17 version pragma: 3cbe3ad . (HAL-02) Experimental Features Enabled As the bug report article states "The 0.5.7 release contains the fixes to all bugs explained in this blog post", and we're now using a fixed 0.5.17 solidity version, which includes fixes for the bug in question. (HAL-03) Gas Optimization on the Divide Ceil Calculation We implemented the recommended gas optimization on commit 251440b. (HAL-04) Lack of Integer Underflow Protection

(HAL-01) Vulnerable TimelockController Contract As recommended by Halborn, we updated the TimelockController contract to use the revised timelock contract from version 3.4.2-solc-0.7 of the OpenZepellin contracts, which included a fix to the vulnerability reported by Halborn. The changes were added at the following commit: 1550fd9. (HAL-02) Misuse of an Oracle We acknowledge and understand the recommendation given by Halborn to check if the latest price data returned by a Chainlink oracle is recent. Still, since that method is only a utility to be used by our app's UI, we decided not to add the suggested checks because we want the UI always to get some price data to display, even if it's a bit stale. In conclusion, the reported issue doesn't affect any critical contract functionality.