I mean Tor itself. It uses TLS to connect securely to the nodes.
The code includes a list of Directory Servers, along with the fingerprints of their certs[1], so those are pinned. Then the relays are fetched from a Directory Server, along with their own fingerprints. So those connections are also authenticated.
I'm a little suspect that they have their own implementation, which might be incomplete, but it is likely better than no pinning.
By Tor, do you mean the firefox browser fork or Tor itself?