Market-listing governance threshold
PancakeSwap's assessment for RD-F-072 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
V2/V3 pool creation is fully permissionless — any BEP-20 token can be listed by adding liquidity; no governance approval, no token vetting, no minimum liquidity floor enforced by protocol code. This is the structural root cause of the BCE/USDT ($679K, March 2025) and OCA/USDC ($422K) pool drain incidents, where malicious/flawed third-party tokens were permissionlessly listed and exploited. PancakeSwap's default token list provides UI-level curation only; the on-chain contracts impose zero listing controls. Note: PD-024 marks RD-F-072 as 'lending-only N/A for DEX' — however, the economic harm pattern (permissionless market creation enabling exploitation) is structurally identical. Scored yellow rather than N/A given two documented dollar-denominated events. Flag as potential v1.6 scope clarification.
Sources #
- URLPancakeSwap V2 OCA/USDC pool drained — CryptopolitanOCA/USDC pool drain: second instance of permissionless listing exploitationretrieved 2026-04-28
- PancakeSwap Exploit: BCE/USDT Pool Vulnerability — cryptonews.netBCE/USDT pool drain: permissionless listing enabled third-party token burn manipulationretrieved 2026-04-28
- PancakeSwap Listing Requirements — listing.helpPermissionless listing requirements and associated risks documentationretrieved 2026-04-28
- Swap FAQ — docs.pancakeswap.financePancakeSwap swap FAQ: permissionless listing model — any BEP-20 can be listedretrieved 2026-04-28
Methodology #
Classify the governance threshold required to list a new market as: permissionless / low-threshold (team multisig) / high-threshold (DAO vote) / no new listings.
See the full factor methodology and distribution across all protocols →