ERC-777/1155/721 hook without reentrancy guard

PancakeSwap's assessment for RD-F-015 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Core AMM does not explicitly integrate ERC-777 tokensReceived or ERC-721 onReceived callbacks. However, the 2025 BCE/USDT ($679K) and OCA/USDC ($422K) pool drains both involved fee-on-transfer token interactions with the AMM — the V3 lock() partially mitigates reentrancy but doesn't prevent reserve accounting distortion via fee-on-transfer. This is a class risk inherent to permissionless AMM pools with arbitrary ERC-20 support. Yellow because the risk is present at the pool level even though no ERC-777 specific reentrancy was exploited.

Sources #

URL
PancakeSwap BCE/USDT ExploitBCE/USDT exploit — fee-on-transfer token interactionretrieved 2026-04-29
URL
PancakeSwap OCA/USDC Pool DrainOCA/USDC pool drainretrieved 2026-04-29

Methodology #

Determine whether the protocol integrates token standards with callbacks (ERC-777 tokensReceived, ERC-1155 onReceived, ERC-721 onReceived) without reentrancy guards on the affected functions.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pancakeswap factor RD-F-015 score yellow collected_at 2026-04-28 19:10:57