PancakeSwap Infinity
Total reward
$1,000,000
Findings submitted
22
Start date
29 Apr 2025
Please sign in as a researcher to join the bounty.
Log inPancakeSwap is a leading multi-chain DEX with ~$2B in TVL. It offers several products such as farming, derivatives, etc. PancakeSwap Infinity is the newest version of the DEX, designed to make swapping & liquidity provisioning faster, cheaper, and more flexible. It uses a modular design that allows for more customization using hooks and supports different types of AMM pools.
Scope
In-Scope Targets:
Core Contracts:
| Contract | Address |
|---|---|
| Vault | 0x238a358808379702088667322f80aC48bAd5e6c4 |
| CLPoolManager | 0xa0FfB9c1CE1Fe56963B0321B32E7A0302114058b |
| BinPoolManager | 0xC697d2898e0D09264376196696c51D7aBbbAA4a9 |
| CLProtocolFeeController | 0x12F2a2965A665F8aBCf955C4dA26CC4Ec437b2c8 |
| BinProtocolFeeController | 0xC7C41cc1F0f4BC4CA96ac860E5c724B9A265B9A8 |
| CLPoolManagerOwner | 0x13f818BDC906C16764d8325809B4b67A9981f792 |
| BinPoolManagerOwner | 0x10944942c7EC351A4Aa36D59A40Cb741cc5c37cB |
| Contract | Address |
|---|---|
| CLPositionManager | 0x55f4c8abA71A1e923edC303eb4fEfF14608cC226 |
| BinPositionManager | 0x3D311D6283Dd8aB90bb0031835C8e606349e2850 |
| CLQuoter | 0xd0737C9762912dD34c3271197E362Aa736Df0926 |
| BinQuoter | 0xC631f4B0Fc2Dd68AD45f74B2942628db117dD359 |
| MixedQuoter | 0x2dCbF7B985c8C5C931818e4E107bAe8aaC8dAB7C |
| TickLens | 0x8BcF30285413F25032fb983C2bF4deFe29a33f3a |
| Contract | Address |
|---|---|
| UniversalRouter | 0xd9c500dff816a1da21a48a732d3498bf09dc9aeb |
| CLDynamicFeeHook (baseLpFee: 0.3%) | 0x80DAf0057F5A454e70eAecD6e5F6769f563F7AC3 |
| CLDynamicFeeHook (baseLpFee: 0.1%) | 0x7136a877Cf751ffc7e826F64B72b3ac41ccc15EC |
| CLDynamicFeeHook (baseLpFee: 0.05%) | 0x32C59D556B16DB81DFc32525eFb3CB257f7e493d |
| CLFeeHelper | 0x4e6825d29BbeA5F29Ee7AEfA40C3EAaBB27A9733 |
| Distributor | 0xEA8620aAb2F07a0ae710442590D649ADE8440877 |
| CampaignManagerV1 | 0x26Bde0AC5b77b65A402778448eCac2aCaa9c9115 |
| HarvestReceiver | 0x328F54EF595876aEB3061046a9d119ac7bCe9d5f |
| HarvestKeeper | 0x2e56D72BA76239C359062f5155cBF76cCa0Ea277 |
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
- Anything outside of the in scope contracts.
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by PancakeSwap, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Report must include:
-
A clear description of the vulnerability and its impact.
-
Steps to reproduce the issue (proof of concept preferred).
-
Conditions under which the issue occurs.
-
Potential implications if exploited.
-
Reports should be made as soon as possible—ideally within 24 hours of discovery.
-
If a reported issue is exploited before it is fixed, the submission will not be eligible for a bounty.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
| Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|---|
| Likelihood: High | Critical | High | Medium | Low |
| Likelihood: Medium | High | High | Medium | Low |
| Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Core Smart Contract Code
| Risk Score | Payout Range |
|---|---|
| Critical | Up to $1,000,000 |
| High | Up to $20,000 |
| Medium | Up to $2,000 |
| Low | - |
Note:
- Rewards will be further capped at 5% of direct funds at risk at the time of reporting the bug.
- Actual reward amounts are determined at PancakeSwap’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Out of Scope
- Please refer to the docs on the default out of scope rules.
Other Terms
By submitting a report, you grant PancakeSwap the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of PancakeSwap. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.