Is Pando Leaf Safe?
Risk Grade: C (50/100)
Pando Leaf is rated as elevated risk — multiple novel mechanisms and notable interaction risks.
Elevated risk — major infrastructure exploit in 2023 with incomplete recovery, combined with non-standard custody and oracle mechanisms that concentrate trust in a small node set.
Pando Leaf is a CDP (Collateralized Debt Position) protocol on the Mixin Network that lets users mint pUSD stablecoins by depositing cryptocurrency collateral like BTC and ETH. Inspired by MakerDAO, it uses a unique Mixin Trusted Group (MTG) multi-signature system instead of traditional smart contracts. With approximately $14M in TVL, Pando Leaf was significantly impacted by the September 2023 Mixin Network hack that resulted in ~$200M in total losses across the ecosystem, with Pando Leaf losing 70% of its ETH and 90% of its USDT collateral. The C grade reflects the combination of this major security incident, non-standard oracle infrastructure, and the custodial trust assumptions inherent in the MTG model.
TVL
$15M
Mechanisms
6
Interactions
5
Value Grade
D
Key Risks for Pando Leaf Users
Mixin Network infrastructure risk: The September 2023 hack proved that Pando Leaf's underlying infrastructure can be compromised, with users only receiving 50% reimbursement for losses — this exact scenario has already occurred
Non-standard security model: Unlike most DeFi protocols that use transparent smart contracts, Pando Leaf relies on a small group of MTG nodes for custody and execution, requiring users to trust this node set rather than verifiable code
Oracle centralization: Price feeds come through MTG node consensus rather than established oracle networks, creating potential for delayed or inaccurate pricing during volatile markets
Limited ecosystem liquidity: Operating exclusively on Mixin Network means limited secondary market depth for pUSD and restricted exit options during stress events
Top Risk Factors
- •Mixin Network infrastructure dependency — the September 2023 hack resulted in ~$200M in losses across the Mixin ecosystem, with Pando Leaf losing 70% of ETH and 90% of USDT collateral
- •Non-standard oracle mechanism — relies on MTG (Mixin Trusted Group) node consensus for price feeds rather than established oracle networks like Chainlink
- •Custodial trust assumptions — MTG multi-signature model requires trusting a small set of nodes rather than decentralized smart contract execution
How Pando Leaf Compares to Peers
Pando Leaf ranks #24 of 25 CDP protocols (bottom quartile — among the riskiest). At a risk score of 50/100, it's 14 points riskier than the sector average of 36/100.
Adjacent peers: Resupply (C, 45/100) is ranked just safer, and Rings Protocol (C-, 53/100) is ranked just riskier.
See the full CDP sector leaderboard or the Pando Leaf vs Rings Protocol comparison.
Common Questions about Pando Leaf
Plain-English answers based on Pando Leaf's scores across Hindenrank's 8 risk dimensions. The highest-scoring (riskiest) dimension is Track Record (15/15).
Has Pando Leaf ever been hacked or exploited?
Pando Leaf has a documented incident history that materially raised its risk grade — the track record dimension scored 15/15, near the high end of the scale. Past exploits, governance failures, or contract issues are baked into this rating. Anyone considering deposits should review the incident details before allocating capital.
How much money is at stake in Pando Leaf?
Pando Leaf currently holds roughly $15M in user deposits. Smaller TVL means individual depositors carry a larger share of any loss event, and it can be harder to exit a position quickly during stress.
What's the worst-case scenario for Pando Leaf?
Hindenrank has identified specific collapse scenarios for Pando Leaf. The most prominent: "MTG Node Compromise Leading to Collateral Drain". The trigger condition is Compromise of sufficient MTG nodes to control multi-sig, enabling unauthorized collateral withdrawals. Reading through the full scenario list on the protocol page is the single best way to understand the actual failure modes — generic "smart contract risk" is rarely the thing that takes a protocol down.
Is Pando Leaf regulated or insured?
Pando Leaf has some regulatory exposure (5/10), typical of mid-sized DeFi protocols. There is no specific enforcement action on record, but the structure includes elements that regulators have flagged in similar protocols. No DeFi protocol carries FDIC-style insurance — even with low regulatory risk, depositors are not protected in the way bank customers are.
What are the biggest red flags for Pando Leaf?
Hindenrank's retail-focused risk audit flagged: Mixin Network infrastructure risk: The September 2023 hack proved that Pando Leaf's underlying infrastructure can be compromised, with users only receiving 50% reimbursement for losses — this exact scenario has already occurred Non-standard security model: Unlike most DeFi protocols that use transparent smart contracts, Pando Leaf relies on a small group of MTG nodes for custody and execution, requiring users to trust this node set rather than verifiable code Oracle centralization: Price feeds come through MTG node consensus rather than established oracle networks, creating potential for delayed or inaccurate pricing during volatile markets
Should beginners deposit into Pando Leaf?
Pando Leaf's C grade puts it in the elevated-risk band. This is not a beginner-friendly protocol. Anyone depositing here should treat the position as speculative and avoid concentrating significant savings in it.
How does Pando Leaf compare to safer CDP alternatives?
Pando Leaf is one protocol in Hindenrank's CDP coverage. The safest CDP protocols on the leaderboard tend to share three traits: a long incident-free track record, conservative mechanism design, and high-quality public documentation. Compare Pando Leaf against the full CDP ranking before committing capital.
For the full 8-dimension score breakdown, the radar chart, and dependency graph, see the Pando Leaf risk report.
Read the Full Pando Leaf Risk Report
This protocol has 2 collapse scenarios. 1 high-severity interaction risks identified. See the full mechanism classification, interaction matrix, and deep-dive recommendations.
View Full Report →Get risk alerts before it's too late
Weekly grade changes, downgrade alerts, and new protocol risk findings. Free.