PancakeSwap-logo

PancakeSwap

PancakeSwap is a decentralized exchange running on Binance Smart Chain and other multiple chains, with lots of other features that let you earn and win tokens. It's fast, cheap, and anyone can use it. It's also got pancakes and rabbits.

Aptos
BSC
Defi
AMM
DEX
Move
Solidity
Maximum Bounty
$1,000,000
Live Since
28 March 2021
Last Updated
08 April 2024
  • PoC required

Submit a Bug

Rewards by Threat Level

Smart Contract
Critical
Group 1: Up to USD $1,000,000 or Group 2: Up to USD $100,000
High
Group 1: From USD $20,000 or Group 2: From $5,000
Medium
Group 1: From USD $2,000 or Group 2: From $2,000
Websites and Applications
Critical
USD $7,500
High
USD $4,000
Medium
USD $1,500

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System 2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Smart Contract rewards are classified by Group 1 and Group 2.

Group 1 consists of the core swap and reward components such as:

AMM: Pancakeswap V2, V3, Stableswap and related periphery contracts Staking: Masterchef V2, V3, Smart Chef (Syrup pools), Cake Pool

Group 2 consists of other contracts not mentioned in group 1.

Group 1 rewards are notated in the rewards table by the higher ranges listed by severity level, while Group 2 rewards are notated by the lower ranges listed by severity level.

All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to be eligible for a reward.

The final reward amount for critical vulnerabilities is capped at 10% of the funds at risk based on the vulnerability reported.

Critical smart contract vulnerability payouts for Group 1 are a minimum of USD $50,000, or 10% of the value at risk at the time of report submission, with a hard cap of USD $1,000,000, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk. Any supplementary reward beyond the minimum USD $50,000 or 10% of value at risk is at the discretion of the team.

Critical smart contract vulnerability payouts for Group 2 are a minimum of USD $20,000, or 10% of the value at risk at the time of report submission, with a hard cap of USD $100,000, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk. Any supplementary reward beyond the minimum USD $20,000 or 10% of value at risk is at the discretion of the team.

All non-critical rewards for the project bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. Rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.

XSS reports are restricted to those that have an impact of prompting a user to sign a transaction or a redirect.

All payouts are done by the PancakeSwap team and are pegged to the USD values set here and are payable in CAKE or USDT.

Program Overview

PancakeSwap is a decentralized exchange running on Binance Smart Chain and other multiple chains, with lots of other features that let you earn and win tokens. It's fast, cheap, and anyone can use it. It's also got pancakes and rabbits.

The exchange is an automated market maker (“AMM”) that allows tokens to be exchanged on the Binance Smart Chain and other multiple chains. On top of that, you can earn CAKE with yield farms, earn CAKE with Staking, and earn even more tokens with Syrup pools.

The PancakeSwap bug bounty program is focused around its smart contracts, websites, and apps with a primary interest in the prevention of loss of user funds, either by direct draining of locked funds or social engineering attacks by redirecting users or forcing them to sign a transaction. Priority and focus is placed on issues that can result in irreversible financial loss.

KYC not required

No KYC information is required for payout processing.

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity. Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.