Protocol Due Diligence: Pearl

# Protocol Due Diligence: Pearl Pearl is an Automated Market Maker (AMM) designed to provide deep liquidity for real world assets on Polygon. It utilizes the value accrual and incentive mechanics popularized by Curve and Solidly to align network participants. The protocol mints a governance token, $PEARL, which users can lock to earn trading fees and governance rights. Liquidity providers stake their LP tokens in Pearl's gauges to earn $PEARL emissions. A portion of stablecoin pools' yield is autonomously redirected as "bribes" to further incentivize liquidity. Pearl aims to become the premier venue for tokenized real world assets, which offer enhanced yield opportunities. The anonymous team forked proven code from Velodrome (V1) and Thena to create Pearl's AMM model. While innovative, Pearl's contracts remain centralized and have not undergone extensive auditing yet. On 8th of September 2023, Pearl had a combined [Total Value Locked (TVL) of 63M](https://defillama.com/protocol/pearlfi). ## Overview + Links - **Website**: https://pearl.exchange - **Governance**: [vePEARL](https://docs.pearl.exchange/tokenomics/ecosystem-tokens) - **Team:** The team is anon - **Social**: [Twitter](https://twitter.com/PearlFi_) | [Discord](https://discord.gg/AG4Ryum5WN) | [Medium](https://pearlexchange.medium.com/) - **GitHub:** https://github.com/Pearl-Finance/pearl-contracts - **Docs**: https://docs.pearl.exchange/introduction/pearl-exchange - **Others**: [Velodrome V1 due diligence](https://github.com/yearn/yearn-strategies/blob/master/dd/velodrome.md) ## Audits and Due Diligence Disclosures Pearl has made code changes (from Fork) that have not been audited independently. No major security issues have been publicly disclosed by the Pearl team. ### Links to the reports (from Fork) [PeckShield audit of Thena - March 2023](https://2486169550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbcU6bFPvnd4PdoSO3JNS%2Fuploads%2FLSHi0peBQqmujUrVgYiB%2FPeckShield-Audit-Report-Thena-v1.0.pdf?alt=media&token=a60b0bf7-a504-400a-8b8b-bec4851c2538) (from Fork) [PeckShield audit of Solidly - January 2022](https://2486169550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbcU6bFPvnd4PdoSO3JNS%2Fuploads%2FVqcTmcgNtpAWWrhYHRpn%2FPeckShield-Audit-Report-Solidly-v1.0.pdf?alt=media&token=dda63525-d0d1-424b-8149-61a3f23ed77f) (from Fork) [Code4rena contest audit of Velodrome - August 2022](https://code4rena.com/reports/2022-05-velodrome) ### Summarize high/critical/medium issues and fixes. - The Thena audit did not uncover any critical issues, only low severity findings that were addressed. - The Solidly audit found 5 low severity issues that were fixed. - The Velodrome audit identified some medium risk issues that were addressed, except one related to reward claims that was mitigated. ### Does the hash code in the audit/s report/s match in the GitHub repository vs. deployed smart contract? If it doesn’t, why? The [Github repo](https://github.com/Pearl-Finance/pearl-contracts/commit/fac7a43545c0244c210c0e86248ed4f8208e8c59) has contract deployed on Polygon. Only Pearl.sol has minimal difference between deployed and repo code. Contracts can verified by running diffyscan: https://github.com/spalen0/diffyscan/tree/polygon-pearl ![diff-pearl](https://hackmd.io/_uploads/HktPEq-k6.png) ### Did the team include new changes that have yet to be audited? Yes. The following changes has been made from the forked code: - Adjustments made to the THENA minter for rebase protection. - The $Pearl ERC-20 was newly written using the OpenZeppelin standard. - Pearl incorporated Velodrome's Pair and PairFees contracts. - Modification in Voter contract: Gauges can be created if one pool token is USDR, though the governor has an override. - Hard-coded values were updated, automation contracts modified to integrate with Gelato (not Chainlink), front end aligned with Thena's design, and general formatting was done. - A new airdrop distribution contract was developed. Response from 0xKeshi: "0xKeshi — 13/06/2023 21:53 The token contract we used is the openzeppelin contract, it doesn't need to be audited. The other change were to math formulas, changing things like rebase variables. Working on implementing an Immuneifi bounty, nothing material from a security standpoint was changed from audited contracts to ours." ## Funds Management - Is the protocol delegating the funds to another protocol/s? No - Do we have a due diligence document for those protocols? N/A - How will we monitor any changes in the funds’ delegation? N/A ## Rug-ability **Multi-sig:** https://app.safe.global/balances?safe=matic%3A0xE603d1b4dEC02F7c0Bcd96F4BdeBefC2Bff4e398 **Number of Multi-sig signers/threshold:** 4/5 1. Keshi- 0x3265d353943c7A01806Dd3CE68bA02fb83B57042 2. Tahiti Pearl King - 0xEd41f5967252248412E6C69475ae8a5A4274A6f8 3. SeaZarrgh - 0x175D1Ba3e7ebe64C239ed097e9c1076eB65f20a7 4. Akoya - 0xB02B5d046c37301f0CF5caa25c3A437314CE2FD0 5. Sulu - 0xe220a27b0905037532c3D64eb2cFb95221079752 **Upgradable Contracts:** Core contracts are upgradable proxies controlled by the multi-sig. No apparent timelock for upgrades. Critical parameters can be changed. Main contracts that hold funds are immutable, e.g. [USDC-USDR pair](https://polygonscan.com/address/0xD17cb0f162f133e339C0BbFc18c36c357E681D6b#readContract ) and [gauge contract for this pair](https://polygonscan.com/address/0x97Bd59A8202F8263C2eC39cf6cF6B438D0B45876#readContract). ## Misc Risks The main profit for the pool token will be generated by selling the reward $PEARL tokens. Liquidity providers receive $PEARL emissions as rewards for staking their liquidity positions to Gauge. These rewards are streamed and available for claiming as they accrue. The strategy will use LP tokens, so it's not subject to impermanent loss. The user accepts the risk of investing to LP tokens, similar to Velodrome vaults on OP. Redeeming USDR for DAI needs to pay 0.5% fee on [Tangible](https://docs.tangible.store/real-usd/how-it-works/redeeming-real-usd). This is step is used only for rewards swap flow and only if fixed 0.5% fee is less than swapping fee USDR to DAI on Pearl exchange. USDR backing: https://www.tangible.store/realusd?action=Stats USDR treasury: https://polygonscan.com/address/0x6ef682f0223687c625e6c4a115f544a80c37da33 ### Audit Reports / Key Findings / Security Disclosures N/A ### Bug Bounty program Bug bounty only for Velodrome on Immunefi $100k but for slight different version v2: https://immunefi.com/bounty/velodromefinance/ For differences between v1 and v2 check Velodrome v2 DD: https://github.com/yearn/yearn-strategies/blob/0600d9dda94ee43f5093173cbcd1145117640332/dd/velodrome_v2.md#yearn-internal-review Thena removed Immunefi bug bounty: https://thena.gitbook.io/thena/security#ongoing-bug-bounty ### Anything else # Path to Prod ## Strategy Details - **Description:** The strategy accepts Pearl LP tokens, both stable and non-stable pairs as strategy token asset. Asset token earns LP fees and is also deposited in gauge, curve style, to earn $PEARL reward token which is sold for more asset token. Pearl rewards are sold first for USDR, which is sold after for both LP tokens to deposit into LP for more asset token. Synapse swap or Curve aave pool is used for stable-stable swap so we don’t modify the ratios of the Pearl pool. For non-stable pairs, Pearl swap is used. - **Strategy current APR:** [Depending on LP pair](https://www.pearl.exchange/liquidity), around ~30%-40% - **Does Strategy delegate assets?:** No - **Target Prod Vault:** 3.0.0 - **BaseStrategy Version #:** 3.0.0 - **Target Prod Vault Version #:** 3.0.0 ## Monitoring and Alerting Telegram bot to send the message if the ratio of DAI in USDR treasury is below defined value: https://github.com/spalen0/bad-debt-alert/blob/master/usdr-treasury-trigger.py ## Testing Plan ### Ape.tax - **Will Ape.tax be used?:** Yes - **Will Ape.tax vault be same version # as prod vault?:** Yes - **What conditions are needed to graduate? (e.g. number of harvest cycles, min funds, etc):** Be profitable, call harvest to sell min rewards and collect LP fees.