PancakeSwap

Status: Active

Launched: 14 May 2024

Expires: Non-expiring

Max Payout: $1,000,000

GENERAL INFORMATION

PancakeSwap serves as a DEX on Binance Smart Chain and various other chains, offering diverse features for token earning and winning. Its accessibility, speed, and cost-effectiveness make it suitable for all users. Additionally, PancakeSwap incorporates playful elements like pancakes and rabbits.

This platform operates as an automated market maker ("AMM"), facilitating token exchanges on Binance Smart Chain and other compatible chains. Furthermore, users can generate CAKE tokens through yield farming, staking, and participating in Syrup pools to earn additional tokens.

Assets Type: Smart Contracts, Websites and Applications

Chains: BSC

Programming Language: Solidity, JavaScript

Product Types: Web app

Project Categories: DEX

PAYOUTS

Critical: $20,000 - $1,000,000

• Any governance voting result manipulation
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield (dependent on the value at stake)
• Permanent freezing of funds (dependent on the value at stake)
• Protocol Insolvency (dependent of the shortfall in value)

The payouts are determined by Group 1 and Group 2 as outlined in the Program Details section.

High: $2,000 - $20,000

• Complete theft of unclaimed yield (dependent on the value at stake)
• Temporary freezing of funds (dependent on the value at stake and duration of freeze)
• Permanent freezing of unclaimed yield (dependent on the value at stake and duration of freeze)

The payouts are determined by Group 1 and Group 2 as outlined in the Program Details section.

Medium, Low, Informational

Not eligible

PROGRAM RULES AND PAYOUTS

Prohibited Activities

The following activities are prohibited by bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

Eligibility Criteria

• Current employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program

Rewards and Recognition

• All payouts are conducted by the PancakeSwap team, pegged to USD values and payable in CAKE or USDT.
• The bug bounty program reserves the right to adjust award amounts based on the quality and accuracy of submissions within the specified range. The sole decision to payout is at the Pancakeswap Team's discretion.
• The maximum reward for critical vulnerabilities is capped at 5% of the funds at risk based on the reported vulnerability.
• This program follows the policy where a report is eligible for bounty only if a fix is implemented.

Smart Contract Rewards: Group 1 and Group 2

Group 1 comprises essential components like core swap and reward functionalities, including Pancakeswap V2, V3, Stableswap, and associated contracts such as Masterchef V2, V3, Smart Chef (Syrup pools), and Cake Pool.

Group 2 encompasses other contracts not mentioned in Group 1.

For Group 1, critical smart contract vulnerability payouts start at a minimum of USD $50,000, with a maximum cap of USD $1,000,000 or 5% of the value at risk at the time of report submission, whichever is greater.

For Group 2, critical smart contract vulnerability payouts start at a minimum of USD $20,000, or 5% of the value at risk at the time of report submission, with a maximum cap of USD $100,000, whichever is greater.

Non-critical rewards are determined based on internal team criteria, considering factors such as exploitability, impact, and likelihood of the vulnerability presenting itself.

XSS reports are limited to those prompting a user to sign a transaction or redirect.

Submission Guidelines

• Reports should be submitted through the Remedy platform
• All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to qualify for a reward

IN SCOPE ASSETS

Smart Contracts

1. Pancakeswap Infinity Core https://github.com/pancakeswap/infinity-core

2. Pancakeswap Infinity Periphery https://github.com/pancakeswap/infinity-periphery

3. Pancakeswap Infinity Router https://github.com/pancakeswap/infinity-universal-router

4. Pancakeswap V2 Periphery https://github.com/pancakeswap/pancake-swap-periphery

5. Pancakeswap V3 https://github.com/pancakeswap/pancake-v3-contracts

Websites and Applications

In Scope (see above repositories)

OUT OF SCOPE & RULES

Excluded Vulnerabilities

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Only the impacts described in the "Payouts" section are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts Exclusions

• Incorrect data supplied by third party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• OFT-related contracts are not in the scope of this program unless the logic is specific to PancakeSwap's implementation. If you have found an issue with OFT-related contracts, please report it to https://immunefi.com/bounty/layerzero/

Any internally known issues are considered as out of scope/duplicate. In case of a known issue submission, the PancakeSwap team is willing to provide proof of duplicity.