Difference between revisions of "Pangolin (PNG)"
| Line 1: | Line 1: | ||
One of the main [[Decentralized Exchange (DEX)|DEXs]] on [[Avalanche (AVAX)|Avalanche]] | |||
==Basics== | ==Basics== | ||
| Line 8: | Line 10: | ||
==Audits & Exploits== | ==Audits & Exploits== | ||
*[[Bug bounty]] program can be found [https://hackenproof.com/avalanche/avalanche-general here] (15-7-2021) Is 100k or over and is an [https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits active program]. | *[[Bug bounty]] program can be found [https://hackenproof.com/avalanche/avalanche-general here] (15-7-2021) Is 100k or over and is an [https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits active program]. [https://www.defisafety.com/pqrs/425 Update] (21-3-2022): ''"No bug bounty program is offered. While a subsection is created titled “Bug Bounty”, the page is blank and states “coming soon”."'' | ||
*Scored a [https://defisafety.com/2021/07/15/pangolin/ 34% | *Scored [https://www.defisafety.com/pqrs/425 51%] on [[DeFi Safety]] (21-3-2022): | ||
''"[[Contract]] [https://snowtrace.io/address/0xe54ca86531e17ef3616d22ca28b0d458b6c89106#code PangolinRouter] is used over 100 times a day. No testing found in Pangolin's [[GitHub]] repository. Although there is testing of libraries and third-party contracts (such as [[ERC20]].sol), there is virtually no visible testing of Pangolin's executing [[smart contracts]] (Factory, router, mini chef, [[staking]], etc). There is no visible code coverage for any of the Pangolin smart contracts. There is no visible test report of any kind in Pangolin's documentation and GitHub repositories. Pangolin has not undergone a [[Formal Verification]] test. Code is [[Fork|forked]] from [[Uniswap (UNI)|Uniswap]] V2 which was audited however the link to the audit does not work (404). Recently, Pangolin has been [https://docs.pangolin.exchange/pangolin-verified/security audited multiple times] by Halborn, in which changes were identified, addressed and solved."'' | |||
With the [https://t.me/c/1453353094/7917 comment]: "T''his Top 10 [[Avalanche (AVAX)|Avalanche]] [[Decentralized Exchange (DEX)|DEX]] should go to greater lengths in documenting the software capabilities of its protocol. Frontend guides are a great, but we want more of that juicy dev stuff. Similarly, Pangolin seemingly lacks the will to document the full extent of their testing suites. We found plenty of library and third-party [[smart contract]] testing, but barely any that focus directly on Pangolin's executing smart contracts. Even so, Pangolin does a decent job at detailing its governance modules. Although it could be more explicit, it is certainly present, and many [[AVAX]] protocols do not offer this luxury. With numerous audits, these two aspects of the DEX are certainly redeeming. In the end, however, we simply wish that Pangolin increasingly document the capabilities of its software and testing thereof. In general, we think that the protocol would benefit a documentation revamp in order to reassert its scaly defenses. Plz do answer us sometime."'' | |||
*Previously scored a [https://defisafety.com/2021/07/15/pangolin/ 34%] (15-7-2021): | |||
''"They have not done any audits because they are a [[fork]] of [[Compound]] and [[Uniswap]]: two very audited protocols.'' | ''"They have not done any audits because they are a [[fork]] of [[Compound]] and [[Uniswap]]: two very audited protocols.'' | ||
* Since then they did get [https://docs.pangolin.exchange/pangolin-verified/security audits] (2-2022). | * Since then they did get [https://docs.pangolin.exchange/pangolin-verified/security audits] (2-2022) which can be reflected in the above updated score. | ||
===Bugs/Exploits=== | ===Bugs/Exploits=== | ||
| Line 23: | Line 29: | ||
===Admin Keys=== | ===Admin Keys=== | ||
* [https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits According] to [[DeFi Safety]], [[contracts]] are '[https://gov.pangolin.exchange/t/how-governance-works/1082/2 clearly labelled] as upgradable' (15-7-2021) and: | * [https://www.defisafety.com/pqrs/425 From] [[DeFi Safety]] (21-3-2022): | ||
''"None of Pangolin's executing smart contracts, save for the protocol [[fees]], are explicitly labelled as upgradeable or [[immutable]]. Pangolin's [[Multi-Signature|MultiSig]] ownership is [https://docs.pangolin.exchange/pangolin-verified/multisig-members detailed]. Some smart contract change capabilities are identified in the Pangolin documentation. No pause control or a similar function is identified within the Pangolin documentation. A [[timelock]] is identified multiple times within Pangolin's [https://docs.pangolin.exchange/github/governance#deployment-addresses documentation], and a duration is identified within the governance forum. Pangolin's timelock has a duration of one week."'' | |||
*[https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits According] to [[DeFi Safety]], [[contracts]] are '[https://gov.pangolin.exchange/t/how-governance-works/1082/2 clearly labelled] as upgradable' (15-7-2021) and: | |||
''"No Pause Control info in their documentation and no testing evidence found in their [[Github|GitHub]]."'' | ''"No Pause Control info in their documentation and no testing evidence found in their [[Github|GitHub]]."'' | ||
| Line 47: | Line 55: | ||
*[[Whitepaper]] can be found [insert here]. | *[[Whitepaper]] can be found [insert here]. | ||
*Litepaper can be read [https://pangolin.exchange/litepaper#png-governance here]. | *Litepaper can be read [https://pangolin.exchange/litepaper#png-governance here]. | ||
*Code can be viewed [ | *Code can be viewed [https://github.com/pangolindex here]. [https://www.defisafety.com/pqrs/425 From] [[DeFi Safety]] (21-3-2022): | ||
*Built on: [[Avalanche (AVAX)|Avalanche]] | ''"With 217 commits and 4 branches, Pangolin's main repository strikes fear in the heart of all ants."'' | ||
*Built on: [[Avalanche (AVAX)|Avalanche]], a [[fork]] of [[Uniswap (UNI)|Uniswap]] V2 | |||
===How it works=== | ===How it works=== | ||
===Fees=== | |||
===Upgrades=== | |||
===Mining=== | ===Mining=== | ||
===Staking=== | ===Staking=== | ||
===Liquidity Mining=== | ====Validator Stats==== | ||
===Liquidity Mining === | |||
===Scaling=== | ===Scaling=== | ||
===Interoperability=== | ===Interoperability=== | ||
===Other Details=== | === Other Details=== | ||
==Oracle Method== | ==Oracle Method== | ||
* [https://www.defisafety.com/pqrs/425 From] [[DeFi Safety]] (21-3-2022): | |||
''"Pangolin [https://docs.pangolin.exchange/advanced/pricing explains] why they do not use an [[Oracle]]. Pangolin does not document any [[Frontrunners|front running]] mitigation strategies. Pangolin does not document any [[Flash Loan|flash loan]]/liquidity attack mitigation strategies."'' | |||
==Privacy Method== | ==Privacy Method== | ||
==Compliance== | ==Compliance== | ||
==Their Other Projects== | ==Their Other Projects== | ||
==Roadmap== | ==Roadmap== | ||
| Line 69: | Line 85: | ||
===Projects that use or built on it=== | ===Projects that use or built on it=== | ||
==Competition== | ==Competition== | ||
[[Trader Joe (JOE)|Trader Joe]] and [[Decentralized Exchange (DEX)|DEXs]] on [[Avalanche (AVAX)|Avalanche]] in particular and also on other chains in general. | |||
==Pros and Cons== | ==Pros and Cons== | ||
===Pros=== | ===Pros=== | ||
===Cons=== | ===Cons=== | ||
==Team, Funding, | ==Team, Funding, Partners== | ||
===Team=== | ===Team=== | ||
*Full team can be found [here]. | *Full team can be found [https://www.linkedin.com/search/results/people/?facetCurrentCompany=%5B74288656%5D&sid=!O. here]. | ||
===Funding=== | ===Funding=== | ||
| Line 87: | Line 105: | ||
[[ETH]] tip [[address]]: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31 | [[ETH]] tip [[address]]: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31 | ||
[[Category:Coins/Tokens]] | [[Category:Coins/Tokens]] | ||
[[Category:Exchange]] | [[Category:Exchange]] | ||
Revision as of 10:47, 28 March 2022
One of the main DEXs on Avalanche
Basics
- Started in / Announced on:
- Based in:
- Mainnet release:
History
Audits & Exploits
- Bug bounty program can be found here (15-7-2021) Is 100k or over and is an active program. Update (21-3-2022): "No bug bounty program is offered. While a subsection is created titled “Bug Bounty”, the page is blank and states “coming soon”."
- Scored 51% on DeFi Safety (21-3-2022):
"Contract PangolinRouter is used over 100 times a day. No testing found in Pangolin's GitHub repository. Although there is testing of libraries and third-party contracts (such as ERC20.sol), there is virtually no visible testing of Pangolin's executing smart contracts (Factory, router, mini chef, staking, etc). There is no visible code coverage for any of the Pangolin smart contracts. There is no visible test report of any kind in Pangolin's documentation and GitHub repositories. Pangolin has not undergone a Formal Verification test. Code is forked from Uniswap V2 which was audited however the link to the audit does not work (404). Recently, Pangolin has been audited multiple times by Halborn, in which changes were identified, addressed and solved."
With the comment: "This Top 10 Avalanche DEX should go to greater lengths in documenting the software capabilities of its protocol. Frontend guides are a great, but we want more of that juicy dev stuff. Similarly, Pangolin seemingly lacks the will to document the full extent of their testing suites. We found plenty of library and third-party smart contract testing, but barely any that focus directly on Pangolin's executing smart contracts. Even so, Pangolin does a decent job at detailing its governance modules. Although it could be more explicit, it is certainly present, and many AVAX protocols do not offer this luxury. With numerous audits, these two aspects of the DEX are certainly redeeming. In the end, however, we simply wish that Pangolin increasingly document the capabilities of its software and testing thereof. In general, we think that the protocol would benefit a documentation revamp in order to reassert its scaly defenses. Plz do answer us sometime."
- Previously scored a 34% (15-7-2021):
"They have not done any audits because they are a fork of Compound and Uniswap: two very audited protocols.
- Since then they did get audits (2-2022) which can be reflected in the above updated score.
Bugs/Exploits
"The Avalanche network has come to a near halt after “a bug in the cross-chain functionality” code that enables the Avalanche protocol and the Ethereum Virtual Machine (EVM) to speak with each other failed under high loads, according to the Avalanche developer team on Reddit. The release of Avalanche‘s newest decentralized finance (DeFi) product, money market Pangolin, snowballed into “insane load” for the network, which further “triggered a very low probability bug that produced a bad state in the network,” the team said on Reddit. The ability to send transactions has crawled to a halt with some users reporting wait times of up to four hours for finalizing a transaction. Funds are safe, however."
Governance
Admin Keys
- From DeFi Safety (21-3-2022):
"None of Pangolin's executing smart contracts, save for the protocol fees, are explicitly labelled as upgradeable or immutable. Pangolin's MultiSig ownership is detailed. Some smart contract change capabilities are identified in the Pangolin documentation. No pause control or a similar function is identified within the Pangolin documentation. A timelock is identified multiple times within Pangolin's documentation, and a duration is identified within the governance forum. Pangolin's timelock has a duration of one week."
- According to DeFi Safety, contracts are 'clearly labelled as upgradable' (15-7-2021) and:
"No Pause Control info in their documentation and no testing evidence found in their GitHub."
DAO
From the docs (16-7-2021):
"Pangolin governance will be live three months after launch and will enable several key actions, including:
- Modifications to the liquidity pools
- Fee Switch"
Treasury
Token
Launch
Token Allocation
Utility
Other Details
Stablecoin
Coin Distribution
Technology
- Whitepaper can be found [insert here].
- Litepaper can be read here.
- Code can be viewed here. From DeFi Safety (21-3-2022):
"With 217 commits and 4 branches, Pangolin's main repository strikes fear in the heart of all ants."
How it works
Fees
Upgrades
Mining
Staking
Validator Stats
Liquidity Mining
Scaling
Interoperability
Other Details
Oracle Method
- From DeFi Safety (21-3-2022):
"Pangolin explains why they do not use an Oracle. Pangolin does not document any front running mitigation strategies. Pangolin does not document any flash loan/liquidity attack mitigation strategies."
Privacy Method
Compliance
Their Other Projects
Roadmap
- Can be found [Insert link here].
Usage
Projects that use or built on it
Competition
Trader Joe and DEXs on Avalanche in particular and also on other chains in general.
Pros and Cons
Pros
Cons
Team, Funding, Partners
Team
- Full team can be found here.
Funding
Partners
(:
Knowledge empowers all and will help us get closer to the decentralised world we all want to live in!
Making these free wiki pages is fun but takes a lot of effort and time.
If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.
