Ignored bounty disclosure

PancakeSwap's assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The 2021 Lottery V2 vulnerability was disclosed via Immunefi and patched before exploitation — this was a successful bounty catch, not an ignored disclosure. The 2025 BCE/USDT exploit was a third-party token interaction issue (fee-on-transfer token design flaw), not a disclosure that was ignored by the team. No post-mortem documents an ignored pre-exploit disclosure on core AMM.

Sources #

URL
Immunefi PancakeSwap Lottery Post-mortemImmunefi lottery vulnerability post-mortemretrieved 2026-04-29
URL
PancakeSwap BCE/USDT ExploitBCE/USDT exploit — third-party token interaction, not ignored core disclosureretrieved 2026-04-29

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pancakeswap factor RD-F-008 score green collected_at 2026-04-28 19:10:57