BNPL Pay · DeFi lending · Smart contracts
A DeFi lending protocol rebuilt to be upgradable, multi-chain, and audit-grade
BNPL Protocol V2 — an upgradable, multi-chain lending protocol with 100% test coverage on a real mainnet fork, taken through a CertiK audit.
The situation
BNPL Pay runs a decentralized lending protocol where the smart contracts custody real deposits and route them through Aave and Uniswap. V1 worked, but its economics were fixed in code: a single fee model, locked to a single chain, with no clean way to upgrade a deployed instance. Evolving the protocol meant migrating users, and iterating on the incentive design meant redeploying rather than reconfiguring. The next phase asked for more: configurable economics, a path onto L2s, and a security posture provable enough to stand in front of an institutional audit.
What we did
- Rebuilt the protocol on UUPS and Beacon Proxy patterns so it evolves through upgrades, not user migrations. Deployed instances move forward without disruption.
- Replaced the single fixed fee model with four independent, governance-controlled levers: lenders, stakers, protocol, and node operators tuned separately.
- Structured a single codebase that deploys to Ethereum, Optimism, and the L2s that come next, without per-chain forks.
- Tested against a mainnet fork using real contract interactions, exercising the live Aave and Uniswap paths rather than mocked state.
- Built defense-in-depth into the contracts: reentrancy protection, safe edge-case defaults, and state-consistency guarantees across every operation.
- Optimized gas across all operations to keep the cost profile suitable for institutional volume.
The outcome
- Upgraded on mainnet with zero disruption to existing BankingNode operations and no user migration required.
- Four independent, governance-controlled fee levers, tunable without redeployment.
- One codebase across chains: Ethereum and Optimism live, future L2s without a rewrite.
- Lower gas costs across operations, translating to higher net returns for users.
- Reentrancy-safe and edge-case protected, with no known state-consistency gaps.
- 100% test coverage validated on a mainnet fork. Zero coverage gaps, audit-ready by construction.
- CertiK audit completed. Ready for institutional deployment.
“Our users trust the protocol with their capital, and that trust is the whole product. binhatch rebuilt V2 so we can evolve the economics and ship to new chains without ever asking people to migrate, then took it through a CertiK audit. We upgraded on mainnet with zero disruption to existing operations. The protocol now moves as fast as we need it to, without putting that trust at risk.”
“The V2 contracts were tested the way smart contracts should be: against a mainnet fork, exercising the real Aave and Uniswap paths instead of mocks. Every code path covered, edge-case defaults validated, reentrancy closed off. That's the difference between code that looks safe and code you can put an audit and real deposits behind.”
Stack
In DeFi, a lending contract is only as trustworthy as its least-tested path. Code that custodies real deposits earns trust one way: every path exercised, every edge case defaulted safely, every integration tested against the chain as it actually behaves. V2 was rebuilt to that bar. The protocol now evolves through upgrades instead of migrations, prices its economics through four independent levers instead of one fixed model, and runs from a single codebase across Ethereum, Optimism, and the L2s that come next. High-stakes software engineering, on-chain: when shipping wrong moves money, a mainnet fork is the only honest place to find out first.