Details on security measures, access control, timelocks and flash loan attacks.
The DeFi space is constantly moving and new vulnerabilities are discovered and exploited by the minute.
There are no admin controls in PADSwaps factory and router contracts.
The only role in this PADSwap Factory and Router is OnlyOwner. All contracts are deployed by the same address 0xF4210B747e44592035da0126f70C48Cb04634Eac.
The keys to this address are held by DEVS Team.
None of the deployed contracts can be upgraded. OnlyOwner does not have the ability to change any aspects of the contracts.
There are no admin controls to change the $PAD minters drip after deployment.
The $PAD minter drips to all PAD farms. The contract owners (KT and Snake) have the ability to change the percentage of the drip each farm gets. There is no control to actively mint or to increase the drip! The control is only on the the distribution of the drip. This allows the TOADao and ultimately the Core Team to manage the PAD farm incentives. It is also possible to add or remove farms from the PAD drip distribution e.g. if a new farm is created or an old one is phased out.
There are no admin controls to change the DPLP reward drip after deployment.
Token send towards the Vault are first send to a buffer from which they are periodically send to the Vault. Some are converted to whitelisted tokens in the process. For Moonriver and Moonbeam this buffer is already managed via a smart contract but on BSC this is done through a Gnosis Safe for the meantime until the same smart contract is also deployed to BSC. This Safe is a multisig wallet requiring 2/3 signatures to perform transactions. The signatures are held by KT and Snake from the Core Team and one by SpadeTech (who performed the audit on BSC).
Marketing initiatives are partly financed through community contributions. These contributions can be send towards a Gnosis Safe on Moonbeam. This Safe is a multisig wallet requiring 2/3 signatures to perform transactions. The signatures are held by TOADao community members.
Toad.Network's smart contracts do not provide any option to pause smart contracts. While a pause functionality can theoretically be used to prevent harm from smart contract users in case of an exploit, it can also be used in many ways contrary to user interests. In fact, we mainly see it used in the later way and are therefore against this practice.
PADSwap itself does not offer any flash loans and is therefore not vulnerable from the perspective of a flash loan provider. But flash loan attacks can be executed against any smart contract using the funds of a flash loan provided by a third party. Toad.Network's smart contracts do not have any explicit flash loan protection. If you see any flash loan attack vulnerability, please refer to our Bug Bounty Program.