Is Pando Leaf Safe?

|CDP
C

Risk Grade: C (50/100)

Pando Leaf is rated as elevated risk — multiple novel mechanisms and notable interaction risks.

Elevated risk — major infrastructure exploit in 2023 with incomplete recovery, combined with non-standard custody and oracle mechanisms that concentrate trust in a small node set.

Pando Leaf is a CDP (Collateralized Debt Position) protocol on the Mixin Network that lets users mint pUSD stablecoins by depositing cryptocurrency collateral like BTC and ETH. Inspired by MakerDAO, it uses a unique Mixin Trusted Group (MTG) multi-signature system instead of traditional smart contracts. With approximately $14M in TVL, Pando Leaf was significantly impacted by the September 2023 Mixin Network hack that resulted in ~$200M in total losses across the ecosystem, with Pando Leaf losing 70% of its ETH and 90% of its USDT collateral. The C grade reflects the combination of this major security incident, non-standard oracle infrastructure, and the custodial trust assumptions inherent in the MTG model.

TVL

$14M

Mechanisms

6

Interactions

5

Value Grade

D

Key Risks for Pando Leaf Users

1.

Mixin Network infrastructure risk: The September 2023 hack proved that Pando Leaf's underlying infrastructure can be compromised, with users only receiving 50% reimbursement for losses — this exact scenario has already occurred

2.

Non-standard security model: Unlike most DeFi protocols that use transparent smart contracts, Pando Leaf relies on a small group of MTG nodes for custody and execution, requiring users to trust this node set rather than verifiable code

3.

Oracle centralization: Price feeds come through MTG node consensus rather than established oracle networks, creating potential for delayed or inaccurate pricing during volatile markets

4.

Limited ecosystem liquidity: Operating exclusively on Mixin Network means limited secondary market depth for pUSD and restricted exit options during stress events

Top Risk Factors

  • Mixin Network infrastructure dependency — the September 2023 hack resulted in ~$200M in losses across the Mixin ecosystem, with Pando Leaf losing 70% of ETH and 90% of USDT collateral
  • Non-standard oracle mechanism — relies on MTG (Mixin Trusted Group) node consensus for price feeds rather than established oracle networks like Chainlink
  • Custodial trust assumptions — MTG multi-signature model requires trusting a small set of nodes rather than decentralized smart contract execution

Risk Score Breakdown

Pando Leaf's highest risk area is Track Record (15/15). Here's how each dimension contributes to the overall 50/100 score:

Mechanism Novelty3/15
Interaction Severity7/20
Oracle Surface7/10
Documentation Gaps4/10
Track Record15/15
Scale Exposure3/10
Regulatory Risk5/10
Vitality Risk6/10

Read the Full Pando Leaf Risk Report

This protocol has 2 collapse scenarios. 1 high-severity interaction risks identified. See the full mechanism classification, interaction matrix, and deep-dive recommendations.

View Full Report →

Considering an investment?

Read our Investment Analysis →Compare CDP Alternatives →

Related CDP Safety Analyses

Is Rings Protocol Safe?C-Is Resupply Safe?CIs BTCFi CDP Safe?CIs Yala Safe?CIs BitU Protocol Safe?C+

Related CDP Investment Analyses

Is Rings Protocol a Good Investment?B-Is Resupply a Good Investment?C-Is BTCFi CDP a Good Investment?D-Is Yala a Good Investment?DIs BitU Protocol a Good Investment?D

Ratings use Hindenrank's eight-dimension risk rubric. Lower score = lower risk. Grades range from A (safest) to F (riskiest). This is not financial advice.