PancakeSwap Infinity

PancakeSwap is a leading multi-chain DEX with ~$2B in TVL. It offers several products such as farming, derivatives, etc. PancakeSwap Infinity is the newest version of the DEX, designed to make swapping & liquidity provisioning faster, cheaper, and more flexible. It uses a modular design that allows for more customization using hooks and supports different types of AMM pools.

Scope

In-Scope Targets:

Core Contracts:

https://github.com/pancakeswap/infinity-core

Contract	Address
Vault	0x238a358808379702088667322f80aC48bAd5e6c4
CLPoolManager	0xa0FfB9c1CE1Fe56963B0321B32E7A0302114058b
BinPoolManager	0xC697d2898e0D09264376196696c51D7aBbbAA4a9
CLProtocolFeeController	0x12F2a2965A665F8aBCf955C4dA26CC4Ec437b2c8
BinProtocolFeeController	0xC7C41cc1F0f4BC4CA96ac860E5c724B9A265B9A8
CLPoolManagerOwner	0x13f818BDC906C16764d8325809B4b67A9981f792
BinPoolManagerOwner	0x10944942c7EC351A4Aa36D59A40Cb741cc5c37cB

https://github.com/pancakeswap/infinity-periphery

Contract	Address
CLPositionManager	0x55f4c8abA71A1e923edC303eb4fEfF14608cC226
BinPositionManager	0x3D311D6283Dd8aB90bb0031835C8e606349e2850
CLQuoter	0xd0737C9762912dD34c3271197E362Aa736Df0926
BinQuoter	0xC631f4B0Fc2Dd68AD45f74B2942628db117dD359
MixedQuoter	0x2dCbF7B985c8C5C931818e4E107bAe8aaC8dAB7C
TickLens	0x8BcF30285413F25032fb983C2bF4deFe29a33f3a

https://github.com/pancakeswap/infinity-universal-router

Contract	Address
UniversalRouter	0xd9c500dff816a1da21a48a732d3498bf09dc9aeb
CLDynamicFeeHook (baseLpFee: 0.3%)	0x80DAf0057F5A454e70eAecD6e5F6769f563F7AC3
CLDynamicFeeHook (baseLpFee: 0.1%)	0x7136a877Cf751ffc7e826F64B72b3ac41ccc15EC
CLDynamicFeeHook (baseLpFee: 0.05%)	0x32C59D556B16DB81DFc32525eFb3CB257f7e493d
CLFeeHelper	0x4e6825d29BbeA5F29Ee7AEfA40C3EAaBB27A9733
Distributor	0xEA8620aAb2F07a0ae710442590D649ADE8440877
CampaignManagerV1	0x26Bde0AC5b77b65A402778448eCac2aCaa9c9115
HarvestReceiver	0x328F54EF595876aEB3061046a9d119ac7bCe9d5f
HarvestKeeper	0x2e56D72BA76239C359062f5155cBF76cCa0Ea277

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

Anything outside of the in scope contracts.

Prohibited Actions

No Unauthorized Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
No Conflict of Interest: Individuals currently or formerly employed by PancakeSwap, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

A clear description of the vulnerability and its impact.
Steps to reproduce the issue (proof of concept preferred).
Conditions under which the issue occurs.
Potential implications if exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
If a reported issue is exploited before it is fixed, the submission will not be eligible for a bounty.

Note: Please note that all POCs must be written against a mainnet fork.

Eligibility

To be eligible for a reward, you must:

Be the first to report a previously unknown, non-public vulnerability within the defined scope.
Provide sufficient information to reproduce and fix the vulnerability.
Not have exploited the vulnerability in any malicious manner.
Not have disclosed the vulnerability to third parties before receiving permission.
Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

High: Very easy to exploit or highly incentivized.
Medium: Exploitation is possible under certain conditions.
Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

Core Smart Contract Code

Risk Score	Payout Range
Critical	Up to $1,000,000
High	Up to $20,000
Medium	—
Low	—

Note:

Rewards will be further capped at 5% of direct funds at risk at the time of reporting the bug.
Actual reward amounts are determined at PancakeSwap's sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
This program follows the policy where a report is eligible for bounty only if a fix is implemented.

Out of Scope

Please refer to the default out of scope rules in the Cantina documentation.

Other Terms

By submitting a report, you grant PancakeSwap the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of PancakeSwap. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.