Smart Contract and On-Chain Transactions Risk Management Policy

Entered into force on February 21, 2026.

On-chain voting result: association.dao.eth/transaction-hash

1. General Provisions and Objective

1.1. Subject: This Smart Contract and On-Chain Transactions Risk Management Policy (hereinafter the "Policy") establishes mandatory procedures and security standards for all on-chain operations and interactions with key smart contracts of New Epoch Association (hereinafter the "Association").

1.2. Objective: Minimization of operational, technological, and financial risks related to human factors, code errors, and external attacks (exploits) to ensure the safekeeping of the Association’s Assets.

1.3. Applicable Law: This Policy is governed by the substantive law of Switzerland. Lex Cryptographica (protocol code) is applied subsidiarily.

2. Management of Critical Transactions

2.1. Transaction Classification: All on-chain operations are classified by risk level:

2.1.1. Critical: Transactions affecting Asset security, code modification (updating), or withdrawal of funds exceeding 10,000 USD.

2.1.2. Operational: Daily transactions (compensations, small Grants) not exceeding the Critical threshold.

2.2. Multisignature Procedure: Qualified Confirmation (approval under the Multisignature protocol) established in the Governance Resolution is required for all Critical transactions.

2.3. Transaction Testing: Before executing any Critical transaction, the Authorized Representative must conduct simulation of the transaction on a test network or using a verified simulation tool (e.g., Tenderly or its equivalent) to confirm its predictable result and absence of vulnerabilities.

2.4. Representatives’ Actions: Authorized Representatives must use cold wallets or verified hardware security modules (HSM) for storing master keys managing the multisignature of the Association’s Assets. For operational (non-critical) transactions, the use of hot keys managed by an approved and audited session key manager is permitted.

3. Smart Contract Risk Management

3.1. Mandatory Audit: Mandatory audit applies to all smart contracts, bridges, or financial instruments that the Association develops, deploys, or uses independently. These smart contracts must undergo independent security audits conducted by two external, reputable audit firms, with results published publicly.

3.2. Emergency Response and Dependency Reduction Protocol: The Association acknowledges the lack of direct control over the base protocol’s pause mechanism. Therefore, the Association undertakes not to use third-party financial protocols, bridges, or instruments that do not provide the possibility for emergency pause or secure fund withdrawal in case of failure.

3.3. Storage Limit: No single smart contract (except for the Association’s main Assets) shall hold more than 20% of the total Strategic portfolio of the Association.

4. Emergency Response

4.1. Response Plan: The Association must maintain and regularly update an Emergency Response Plan including contacts of key auditors, lawyers, and security specialists.

4.2. Notification: In case of detection of a critical vulnerability or security incident, Authorized Representatives must immediately (within 24 hours) notify the Association’s community through official communication channels while observing the provisions of the Privacy Policy.

5. Effective Date and Amendments

5.1. Effective Date: This Policy comes into force simultaneously with the date and time the Governance Resolution enters into force.

5.2. Amendments: Any changes to this Policy may only be made through Voting with Qualified Confirmation performed in accordance with the Governance Resolution.

5.3. Notice: Continued use of the Association’s website, software, and Tokens after posting amendments signifies user acceptance of the updated Policy.