★ Audit scope mismatch

PancakeSwap's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Six independent audit firms cover distinct PancakeSwap surfaces (SlowMist, PeckShield, BlockSec, Hexens, OtterSec, Zellic). Infinity/V4 has 3 external firm audits (Hexens, OtterSec, Zellic) conducted in 2024 prior to April 2025 launch; OtterSec resolved 2 high-impact vulnerabilities pre-launch. Commit-SHA-to-deployed-bytecode matching was not achievable via static read. V3 audits (March 2023) are ~37 months old. Gap risk exists for any post-audit code changes between final 2024 Infinity audit and April 2025 launch.

Sources #

URL
OtterSec: PancakeSwap Infinity audit announcementOtterSec X post announcing 2 high-impact vulnerabilities resolved in Infinityretrieved 2026-04-29
URL
PancakeSwap AuditsPancakeSwap audits pageretrieved 2026-04-29
GitHub
PancakeSwap Infinity Core Audit Reportsinfinity-core audits directory (Hexens, OtterSec, Zellic PDFs)retrieved 2026-04-29

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pancakeswap factor RD-F-001 score yellow collected_at 2026-04-28 19:10:57