How Does Pando Leaf Work?

CDP|Risk C|6 mechanisms|5 interactions

Pando Leaf is a CDP (Collateralized Debt Position) protocol on the Mixin Network that lets users mint pUSD stablecoins by depositing cryptocurrency collateral like BTC and ETH. Inspired by MakerDAO, it uses a unique Mixin Trusted Group (MTG) multi-signature system instead of traditional smart contracts. With approximately $14M in TVL, Pando Leaf was significantly impacted by the September 2023 Mixin Network hack that resulted in ~$200M in total losses across the ecosystem, with Pando Leaf losing 70% of its ETH and 90% of its USDT collateral. The C grade reflects the combination of this major security incident, non-standard oracle infrastructure, and the custodial trust assumptions inherent in the MTG model.

TVL

$15M

Sector

CDP

Risk Grade

C

Value Grade

D

Core Mechanisms

Collateral > Over-collateralization

Crypto-collateralized vaults (BTC, ETH) with 200%+ collateralization ratio for pUSD minting

Standard CDP model inspired by MakerDAO, accepting BTC, ETH, and other Mixin-supported assets

Peg Maintenance > Algorithmic Peg

pUSD soft peg to USD maintained through overcollateralization and liquidation mechanisms

Stability fees and liquidation penalties incentivize peg maintenance

Liquidation > Auction-based Liquidation

Automated vault liquidation when collateral ratio falls below threshold

Liquidation process managed through MTG consensus rather than on-chain smart contracts

Governance > Multisig Governance

Novel

MTG (Mixin Trusted Group) node voting for parameter changes and collateral additions

Novel adaptation of multi-sig governance replacing smart contract-based governance; nodes vote to add collateral types and adjust risk parameters

Oracle > Custom Oracle

Price feeds derived through MTG node consensus mechanism

Non-standard oracle relying on trusted group consensus rather than decentralized oracle networks

Fee Distribution > Protocol Revenue

Stability fees charged on open vaults to maintain pUSD system

Standard CDP stability fee model; fee parameters controlled by MTG node governance

How the Pieces Interact

Collateral > Over-collateralizationLiquidation > Auction-based LiquidationHigh

Collateral value crash combined with MTG-based liquidation could create delays in processing compared to on-chain automated liquidation, potentially leading to under-collateralized positions

Oracle > Custom OracleCollateral > Over-collateralizationMedium

MTG oracle consensus delays or manipulation could trigger premature or delayed liquidations, especially during high volatility

Peg Maintenance > Algorithmic PegLiquidation > Auction-based LiquidationMedium

Cascading liquidations during market downturns could overwhelm pUSD peg stability if liquidated collateral floods the market

Governance > Multisig GovernanceOracle > Custom OracleMedium

MTG node compromise could simultaneously affect both governance decisions and oracle feeds, creating a single point of failure

Fee Distribution > Protocol RevenuePeg Maintenance > Algorithmic PegLow

Stability fee adjustments that are too aggressive could discourage vault creation, reducing pUSD supply and liquidity

What Could Go Wrong

  1. Mixin Network infrastructure dependency — the September 2023 hack resulted in ~$200M in losses across the Mixin ecosystem, with Pando Leaf losing 70% of ETH and 90% of USDT collateral
  2. Non-standard oracle mechanism — relies on MTG (Mixin Trusted Group) node consensus for price feeds rather than established oracle networks like Chainlink
  3. Custodial trust assumptions — MTG multi-signature model requires trusting a small set of nodes rather than decentralized smart contract execution

MTG Node Compromise Leading to Collateral Drain

Moderate

Trigger: Compromise of sufficient MTG nodes to control multi-sig, enabling unauthorized collateral withdrawals

  1. 1.Attacker gains control of majority MTG nodes through infrastructure exploit or social engineering Unauthorized access to collateral custody and oracle feeds
  2. 2.Attacker manipulates oracle prices or directly initiates unauthorized withdrawals Collateral drained from vaults without proper liquidation process
  3. 3.pUSD becomes under-collateralized as backing assets are removed pUSD de-pegs significantly below $1
  4. 4.Remaining users rush to close vaults and exit positions Liquidity crisis across Pando ecosystem including Lake/4swap
  5. 5.Protocol freezes operations similar to September 2023 response Extended downtime with partial or no recovery of stolen funds
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty3/15
Interaction Severity7/20
Oracle Surface7/10
Documentation Gaps4/10
Track Record15/15
Scale Exposure3/10
Regulatory Risk5/10
Vitality Risk6/10
C

Overall: C (50/100)

Lower score = safer

More on Pando Leaf

Is Pando Leaf Safe?

Safety analysis

Is Pando Leaf a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related CDP Explainers

How Does Rings Protocol Work?C-How Does Resupply Work?CHow Does FxDAO Work?CHow Does Yala Work?CHow Does BTCFi CDP Work?C