Difference between revisions of "Pancakeswap (CAKE)"

From CryptoWiki

Line 18: Line 18:


*PancakeSwap has a [https://immunefi.com/bounty/pancakeswap/ 1,000,000$] bug bounty program with [[Immunifi|ImmuneFi]], and it is an active program. ([https://docs.defisafety.com/misc-and-in-work/pancakeswap-process-quality-review-v2#audits 5-8-2021]).  
*PancakeSwap has a [https://immunefi.com/bounty/pancakeswap/ 1,000,000$] bug bounty program with [[Immunifi|ImmuneFi]], and it is an active program. ([https://docs.defisafety.com/misc-and-in-work/pancakeswap-process-quality-review-v2#audits 5-8-2021]).  
*Got an updated score of [https://defisafety.com/2021/08/05/pancakeswap/ 82%] on [[DeFi Safety]] (5-8-2021):
*Lowered back to [https://www.defisafety.com/app/pqrs/481 54%] on [[DeFi Safety]] (20-6-2022). Mainly due to documentation, [[Admin Key|admin keys]] and [[oracle]] low scores.
*Got an updated score of [https://defisafety.com/2021/08/05/pancakeswap/ 82%] (5-8-2021):


''"PakcakeSwap's core contracts have been audited by [[CertiK (CTK)|Certik]], and twice by [[Slowmist]]. PancakeSwap's lottery V2 has been audited twice, and most of the changes recommended have been implemented. PancakeSwap's [[Peckshield]] Lottery V2 [https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-PancakeswapLottery-v1.0.pdf Audit]. PancakeSwap's Slowmist Lottery V2 [https://github.com/slowmist/Knowledge-Base/blob/master/open-report/Smart%20Contract%20Security%20Audit%20Report%20-%20PancakeSwap%20Lottery.pdf Audit]."''
''"PakcakeSwap's core contracts have been audited by [[CertiK (CTK)|Certik]], and twice by [[Slowmist]]. PancakeSwap's lottery V2 has been audited twice, and most of the changes recommended have been implemented. PancakeSwap's [[Peckshield]] Lottery V2 [https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-PancakeswapLottery-v1.0.pdf Audit]. PancakeSwap's Slowmist Lottery V2 [https://github.com/slowmist/Knowledge-Base/blob/master/open-report/Smart%20Contract%20Security%20Audit%20Report%20-%20PancakeSwap%20Lottery.pdf Audit]."''
Line 29: Line 30:


===Bugs/Exploits===
===Bugs/Exploits===
*[https://blockthreat.substack.com/p/blockthreat-week-26-2021?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozODkyMTU0NCwiXyI6IitrN3VtIiwiaWF0IjoxNjI2Njc3NzM5LCJleHAiOjE2MjY2ODEzMzksImlzcyI6InB1Yi04MTA1Iiwic3ViIjoicG9zdC1yZWFjdGlvbiJ9.Y4svSIwaJYNNcqBtdVKODz2x From] [[BlockThreat]] (19-7-2021):
''"PancakeSwap fixed a [https://medium.com/immunefi/pancakeswap-logic-error-bug-fix-postmortem-f2d02adb6983 logic bug] which could result in the loss of $700K after it was responsibly disclosed by [https://twitter.com/junorouse Juno]."''
* [https://www.defisafety.com/app/pqrs/481 From] [[DeFi Safety]] (12-3-2021):
''"PancakeSwap's lottery underwent a whitehack proceeding the discovery of a potential exploit. The whitehack is described in the following [https://cryptopwnage.medium.com/1-800-000-was-stolen-from-binance-smart-chain-pancakeswap-lottery-pool-ca2afb415f9 link] under the pretense that PancakeSwap's [[Admin Key|admin]] performed the exploit maliciously, which is not true. However, it still describes the exploit quite well."''


*[https://thedefiant.substack.com/p/-meet-mooncats-the-og-nft-cats-beating?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozMzc5MjEyNCwiXyI6IktlUHpyIiwiaWF0IjoxNjE1OTU0NTU4LCJleHAiOjE2MTU5NTgxNTgsImlzcyI6InB1Yi0xMTI1OSIsInN1YiI6InBvc3QtcmVhY3Rpb24ifQ.PE616ynpY From] [[The Defiant]] (17-3-2021):
*[https://thedefiant.substack.com/p/-meet-mooncats-the-og-nft-cats-beating?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozMzc5MjEyNCwiXyI6IktlUHpyIiwiaWF0IjoxNjE1OTU0NTU4LCJleHAiOjE2MTU5NTgxNTgsImlzcyI6InB1Yi0xMTI1OSIsInN1YiI6InBvc3QtcmVhY3Rpb24ifQ.PE616ynpY From] [[The Defiant]] (17-3-2021):


''"Hackers compromised PancakeSwap’s and [[Cream Finance (CREAM)|Cream Finance]]’s websites yesterday. The Domain Name Service ([[DNS]]) attack modified the affected protocols’ website to display a request for the user’s [[seed]] phrase, which, if submitted, would compromise their entire account. Because the attack was not on a [[smart contract]] itself it is still unclear how many users the hacker tricked into sending their seed phrase as well as the total amount the attack netted.''"
''"Hackers compromised PancakeSwap’s and [[Cream Finance (CREAM)|Cream Finance]]’s websites yesterday. The Domain Name Service ([[DNS]]) attack modified the affected protocols’ website to display a request for the user’s [[seed]] phrase, which, if submitted, would compromise their entire account. Because the attack was not on a [[smart contract]] itself it is still unclear how many users the hacker tricked into sending their seed phrase as well as the total amount the attack netted.''"
* [https://blockthreat.substack.com/p/blockthreat-week-26-2021?token=eyJ1c2VyX2lkIjoxMzk3OTAwLCJwb3N0X2lkIjozODkyMTU0NCwiXyI6IitrN3VtIiwiaWF0IjoxNjI2Njc3NzM5LCJleHAiOjE2MjY2ODEzMzksImlzcyI6InB1Yi04MTA1Iiwic3ViIjoicG9zdC1yZWFjdGlvbiJ9.Y4svSIwaJYNNcqBtdVKODz2x From] [[BlockThreat]] (19-7-2021):
''"PancakeSwap fixed a [https://medium.com/immunefi/pancakeswap-logic-error-bug-fix-postmortem-f2d02adb6983 logic bug] which could result in the loss of $700K after it was responsibly disclosed by [https://twitter.com/junorouse Juno]."''


==Governance==
==Governance==
===Admin Keys===
===Admin Keys===


* Previously it scored very [https://docs.defisafety.com/finished-reviews/pancakeswap-process-quality-review#access-controls low] on [[Admin Key|Access Controls]], due to no information given. It got updated to 71%. [https://docs.defisafety.com/misc-and-in-work/pancakeswap-process-quality-review-v2#audits From] [[DeFi Safety]] (5-8-2021):
* [https://www.defisafety.com/app/pqrs/481 From] [[DeFi Safety]] (20-6-2022):
''"The relevant [[Smart Contract (SC)|contracts]] are identified as upgradeable through a 3/6 [[Safe (SAFE)|Gnosis]] [[Multi-Signature|multisig]], as identified [https://docs.pancakeswap.finance/governance/syrup-pools/smartchefinitializable here]. The full extent of the contracts' change capabilities is not explicitly described, yet it can be assumed that they are mostly completely upgradeable through their 3/6 multisig. This proven in contract code. No pause control information is documented. No [[timelock]] information is documented. By reading the contract code, we learned there is a 6 hour timelock."''
*Previously it scored very [https://docs.defisafety.com/finished-reviews/pancakeswap-process-quality-review#access-controls low] on [[Admin Key|Access Controls]], due to no information given. It got updated to 71%. [https://docs.defisafety.com/misc-and-in-work/pancakeswap-process-quality-review-v2#audits From] DeFi Safety (5-8-2021):


''"PancakeSwap's admin controls are not well labelled and spread across multiple directories.''  
''"PancakeSwap's admin controls are not well labelled and spread across multiple directories.''  
Line 67: Line 74:


*[[Whitepaper]] can be found [insert here].
*[[Whitepaper]] can be found [insert here].
*Code can be viewed [insert here].
*Code can be viewed [https://github.com/pancakeswap/pancake-smart-contracts here]. [https://www.defisafety.com/app/pqrs/481 From] [[DeFi Safety]] (20-6-2022):
''"PancakeSwap's contracts repository only has 1 commit, although the commit has 428 changed files with 116,992 additions."''
*Built on: [[Binance|Binance Smart Chain]]
*Built on: [[Binance|Binance Smart Chain]]


Line 80: Line 88:
===Other Details===
===Other Details===
==Oracle Method==
==Oracle Method==
* [https://www.defisafety.com/app/pqrs/481 From] [[DeFi Safety]] (20-6-2022):
''"No [[oracle]] information could be found other than a mention of [[Uniswap (UNI)|Uniswap]] V2 in "pancake-smart-contracts/projects/exchange-protocol/"'s README. Although it is widely known that PancakeSwap is a 1:1 [[fork]] of Uniswap, this should be documented in a far more concise fashion. As a [[Decentralized Exchange (DEX)|decentralised exchange]], this information should be explained. No [[frontrunning]] information could be found. No information relating to [[Flash Loan|flashloan]] price manipulation mitigation can be found."''
==Compliance==
==Compliance==
==Their Other Projects==
==Their Other Projects==

Revision as of 07:11, 4 August 2022

Pancakeswap, a decentralized exchange (DEX) built on Binance Smart Chain, which is permissioned, so calling Pancakeswap a 100% decentralized exchange is debatable.

Basics

  • Based in:
  • Started in / Announced on:
  • Mainnet release:

History

"Pancakeswap started off as a pale imitation of SushiSwap. Pancakeswap's use case was straightforward: Users provided liquidity to the platform (receiving FLIP tokens in return) and farmed SYRUP, the platform’s governance token.

This arrangement was similar to the many peer-to-peer exchanges that popped up in 2020 offering big “yields” to users becoming liquidity providers and the chance to govern the platform. However, newer products like a lottery service and a non-fungible token (NFT) art platform have furthered Pancakeswap’s use cases.

Audits & Exploits

"PakcakeSwap's core contracts have been audited by Certik, and twice by Slowmist. PancakeSwap's lottery V2 has been audited twice, and most of the changes recommended have been implemented. PancakeSwap's Peckshield Lottery V2 Audit. PancakeSwap's Slowmist Lottery V2 Audit."

With the comment: "PancakeSwap has updated their documentation and now has an impressive 82%. This makes them the highest-scoring BinanceChain protocol we've reviewed! PancakeSwap is clearly demonstrating a commitment to building a high-quality protocol users can trust."

  • Previously scored 42% (4-5-2021):

"Certik has done an audit on PancakeSwap. The audit was done after deployment. The audit is not linked in the pancake swap website, github or docs. A major flaw in the syrup tokens was found and is not resolved in the deployed code, though they deprecated the pools. For these reasons a score of 40% is given." It scored very low on Access Controls, due to no information given.

Bugs/Exploits

"PancakeSwap fixed a logic bug which could result in the loss of $700K after it was responsibly disclosed by Juno."

"PancakeSwap's lottery underwent a whitehack proceeding the discovery of a potential exploit. The whitehack is described in the following link under the pretense that PancakeSwap's admin performed the exploit maliciously, which is not true. However, it still describes the exploit quite well."

"Hackers compromised PancakeSwap’s and Cream Finance’s websites yesterday. The Domain Name Service (DNS) attack modified the affected protocols’ website to display a request for the user’s seed phrase, which, if submitted, would compromise their entire account. Because the attack was not on a smart contract itself it is still unclear how many users the hacker tricked into sending their seed phrase as well as the total amount the attack netted."

Governance

Admin Keys

"The relevant contracts are identified as upgradeable through a 3/6 Gnosis multisig, as identified here. The full extent of the contracts' change capabilities is not explicitly described, yet it can be assumed that they are mostly completely upgradeable through their 3/6 multisig. This proven in contract code. No pause control information is documented. No timelock information is documented. By reading the contract code, we learned there is a 6 hour timelock."

  • Previously it scored very low on Access Controls, due to no information given. It got updated to 71%. From DeFi Safety (5-8-2021):

"PancakeSwap's admin controls are not well labelled and spread across multiple directories.

b) The type of ownership is clearly indicated (OnlyOwner / MultiSig / Defined Roles) -- 30%

c) The capabilities for change in the contracts are described -- 30%

Pause control is explained clearly but there is no evidence of regular testing."

DAO

Treasury

Token

Launch

Token Allocation

Utility

Other Details

Stablecoin

Coin Distribution

Technology

"PancakeSwap's contracts repository only has 1 commit, although the commit has 428 changed files with 116,992 additions."

How it works

Fee Mechanism

Upgrades

Staking

Liquidity Mining

Scaling

Interoperability

Different Implementations

Other Details

Oracle Method

"No oracle information could be found other than a mention of Uniswap V2 in "pancake-smart-contracts/projects/exchange-protocol/"'s README. Although it is widely known that PancakeSwap is a 1:1 fork of Uniswap, this should be documented in a far more concise fashion. As a decentralised exchange, this information should be explained. No frontrunning information could be found. No information relating to flashloan price manipulation mitigation can be found."

Compliance

Their Other Projects

Initial Farm Offering

"A gamified token launch mechanism called Initial Farm Offering, which allows anyone to earn new tokens by staking $CAKE and $BNB in an hour-long token sale."

Roadmap

  • Can be found [Insert link here].

Usage

"Pancake Swap coming in at $60m [revenue] in the past 180 days. As per their docs, on every trade there is a 0.25% fee on each trade. 0.17% goes to LPs, 0.3% goes to the treasury and 0.5% goes to token holders via a buy and burn. In this case it means that token holders and the treasury received $60m in the past 180 days which is pretty impressive. As of June 28, 2022 there are 350,000 CAKE being minted daily which equates to $72m of incentives being printed. Still profitable but a lot less than everyone thinks. I mean they don’t need to print that many tokens given the margins but my initial hunch here is that there’s a circular money game going on here."

"PancakeSwap surpassed Coinbase Pro in volume today and 2.5x'd Uniswap volume This makes a DEX a top 10 exchange."

"Saw $400 million in trading volume yesterday and briefly became the world’s second-largest DEX service by trading volume, data from CoinGecko shows. With over $1.7 billion worth of various cryptocurrencies locked in the DEX.

As of today, there are over 176 markets on Pancakeswap. Wrapped BNB, a token issued by crypto exchange Binance, is the most traded market with over $81 million in volume in the past day. CAKE is next with a $45 million volume, and there are then the meme tokens like “Birthday Cake,” “Burger Swap,” and “Monster Slayer Cash,” which each account for much smaller volumes."

Projects that use or built on it

Competition

Other DEXs on Binance or other chains

Pros and Cons

Pros

Cons

Team, Funding, Partners

Team

"I decided to venture about who is behind Pancake swap and best guesses point to Binance."

Funding

Partners

(:

Knowledge empowers all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

BNB tip address: bnb13ps9k4jf3purxetcuxvz74w6yuncq8yxkycfpu

Also check out CoinTr.ee for more content.