Prior exploit count

PancakeSwap's assessment for RD-F-077 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

1 confirmed on-chain pool incident: BCE/USDT V3 pool exploit March 2025 (~$679K loss; root cause is BCE token's malicious fee-on-transfer burn-to-pair logic, not AMM code). No recovery confirmed. 2021 Lottery vulnerability was a successful bug-bounty disclosure (not an exploitation). 2021 DNS hijack and 2025 X hack are off-chain incidents not counted. Conservative yellow: 1 incident, no recovery.

Sources #

URL
BlockSec: PancakeSwap BCE-USDT pool attacked — ChainCatcherBlockSec confirmation of BCE/USDT pool attack via ChainCatcherretrieved 2026-04-28
URL
PancakeSwap Fee-on-Transfer Exploit Post-Mortem — MediumMedium fee-on-transfer post-mortem analysis — root cause: BCE scheduledDestruction burns from pair addressretrieved 2026-04-28
URL
PancakeSwap Lottery Vulnerability Post-Mortem — ImmunefiImmunefi post-mortem: Lottery vulnerability disclosed and patched, not exploited (Feb 2021)retrieved 2026-04-28
URL
PancakeSwap Exploit: BCE/USDT Pool — CryptoNewsCryptoNews BCE/USDT pool exploit report (~$679K, March 2025)retrieved 2026-04-28

Methodology #

Count the number of distinct incidents in the hack database affecting this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pancakeswap factor RD-F-077 score yellow collected_at 2026-04-28 19:10:57