Pangolin (PNG)

From CryptoWiki

One of the main DEXs on Avalanche


  • Started in / Announced on:
  • Based in:
  • Mainnet release:


Audits & Exploits

  • Bug bounty program can be found here (15-7-2021) Is 100k or over and is an active program. Update (21-3-2022): "No bug bounty program is offered. While a subsection is created titled “Bug Bounty”, the page is blank and states “coming soon”."
  • Scored 51% on DeFi Safety (21-3-2022):

"Contract PangolinRouter is used over 100 times a day. No testing found in Pangolin's GitHub repository. Although there is testing of libraries and third-party contracts (such as ERC20.sol), there is virtually no visible testing of Pangolin's executing smart contracts (Factory, router, mini chef, staking, etc). There is no visible code coverage for any of the Pangolin smart contracts. There is no visible test report of any kind in Pangolin's documentation and GitHub repositories. Pangolin has not undergone a Formal Verification test. Code is forked from Uniswap V2 which was audited however the link to the audit does not work (404). Recently, Pangolin has been audited multiple times by Halborn, in which changes were identified, addressed and solved."

With the comment: "This Top 10 Avalanche DEX should go to greater lengths in documenting the software capabilities of its protocol. Frontend guides are a great, but we want more of that juicy dev stuff. Similarly, Pangolin seemingly lacks the will to document the full extent of their testing suites. We found plenty of library and third-party smart contract testing, but barely any that focus directly on Pangolin's executing smart contracts. Even so, Pangolin does a decent job at detailing its governance modules. Although it could be more explicit, it is certainly present, and many AVAX protocols do not offer this luxury. With numerous audits, these two aspects of the DEX are certainly redeeming. In the end, however, we simply wish that Pangolin increasingly document the capabilities of its software and testing thereof. In general, we think that the protocol would benefit a documentation revamp in order to reassert its scaly defenses. Plz do answer us sometime."

  • Previously scored a 34% (15-7-2021):

"They have not done any audits because they are a fork of Compound and Uniswap: two very audited protocols.

  • Since then they did get audits (2-2022) which can be reflected in the above updated score.


"So turns out that Trader Joe was exploited for ~$1M and this was kept a secret. Later, the same exploit was used against Pangolin to steal ~$300K of protocol fees. And the contract was audited by Halborn."

"The Avalanche network has come to a near halt after “a bug in the cross-chain functionality” code that enables the Avalanche protocol and the Ethereum Virtual Machine (EVM) to speak with each other failed under high loads, according to the Avalanche developer team on Reddit. The release of Avalanche‘s newest decentralized finance (DeFi) product, money market Pangolin, snowballed into “insane load” for the network, which further “triggered a very low probability bug that produced a bad state in the network,” the team said on Reddit. The ability to send transactions has crawled to a halt with some users reporting wait times of up to four hours for finalizing a transaction. Funds are safe, however."


Admin Keys

"None of Pangolin's executing smart contracts, save for the protocol fees, are explicitly labelled as upgradeable or immutable. Pangolin's MultiSig ownership is detailed. Some smart contract change capabilities are identified in the Pangolin documentation. No pause control or a similar function is identified within the Pangolin documentation. A timelock is identified multiple times within Pangolin's documentation, and a duration is identified within the governance forum. Pangolin's timelock has a duration of one week."

"No Pause Control info in their documentation and no testing evidence found in their GitHub."


From the docs (16-7-2021):

"Pangolin governance will be live three months after launch and will enable several key actions, including:

  1. Modifications to the liquidity pools
  2. Fee Switch"




Token Allocation


Other Details


Coin Distribution


"With 217 commits and 4 branches, Pangolin's main repository strikes fear in the heart of all ants."

How it works





Validator Stats

Liquidity Mining



Other Details

Oracle Method

"Pangolin explains why they do not use an Oracle. Pangolin does not document any front running mitigation strategies. Pangolin does not document any flash loan/liquidity attack mitigation strategies."

Privacy Method


Their Other Projects


  • Can be found [Insert link here].


Projects that use or built on it


Trader Joe and DEXs on Avalanche in particular and also on other chains in general.

Pros and Cons



Team, Funding, Partners


  • Full team can be found here.




Knowledge empowers all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31