On-chain ledger

Every account with any kind of authority over the P&L protocol is listed here. If a wallet has the ability to move funds, modify the program, or take administrative action, it's on this page.

The program itself

The program is the only entity that can move funds out of market vaults or the treasury. The instructions it accepts are fixed at deploy time — changing them requires a program upgrade, signed by the upgrade authority below.

Upgrade authority

The upgrade authority is the most powerful single key in the system. A malicious upgrade could drain everything. We are committed to:

• Never closing the program (see known limitations for why this matters)
• Announcing any upgrade with at least 48-hour notice in the Discord and on this page
• Migrating to multisig before treasury balance exceeds a threshold (TBD, will be posted here)

Treasury

This wallet is the recipient of every platform fee. Every credit and debit is public. The wallet itself cannot move SOL on its own — withdrawals require a withdraw_fees instruction signed by the admin (see below).

Admin

The admin can:

• set_admin: Pass admin rights to a different wallet. One-time, on-chain.
• withdraw_fees: Move accumulated SOL out of the treasury account.
• emergency_drain_vault: Drain SOL from a specific market vault. Reserved for situations where a market is stuck (e.g., a pump.fun CPI failure), to make participants whole. Has never been invoked in production.

The admin cannot unilaterally modify any market's outcome or change voter positions. Resolution is enforced by the program logic, not by admin discretion.

$PNL token mint

The $PNL token mint has all three authorities set to null at the mint level — supply is fixed, no freeze, no metadata changes. This was set by pump.fun's protocol at the time of graduation; we did not have the option to keep these authorities.

Hardcoded protocol constants

These addresses are baked into the Rust source code at apps/web/plp_program/programs/errors/src/constants.rs. They cannot be changed without a program upgrade.

Program-derived addresses (PDAs)

These are deterministically derived by the program, not held by any wallet:

Treasury PDA       = ["treasury"]
Market PDA         = ["market", founder, hash(ipfs_cid)]
Position PDA       = ["position", market, user]
Market Vault PDA   = ["market_vault", market]
Team Vesting PDA   = ["team_vesting", market]
Founder Vesting PDA = ["founder_vesting", market]

Use PublicKey.findProgramAddressSync(seeds, programId) with these seeds and the program ID to derive any of them client-side.

Things this list does NOT contain

For completeness, things that are sometimes assumed to exist but don't:

• No insider wallet holding pre-mine $PNL allocation
• No team allocation of the $PNL native token (the 33% goes to market founders, not the platform)
• No paused-protocol bit — the program does not have a global pause; it cannot be turned off short of upgrading to a version with one
• No oracle account — the protocol does not consume any external data feed
• No fee changes outside the program — the 0.015/1.5%/5% values are constants, not config

How to audit

The strongest verification path is to read the source. Specifically:

1. programs/errors/src/constants.rs — every hardcoded address
2. programs/errors/src/instructions/init_treasury.rs — the admin gate
3. programs/errors/src/instructions/withdraw_fees.rs — what admin can actually do with treasury

If any address on this page diverges from what's in the source, the source is authoritative. Tell us.