Back in April 2025, I was deep in PancakeSwap’s Infinity Core when I noticed something that didn’t sit right with me. In their Vault.sol, the lock() function was making an external call to lockAcquired() before doing any internal delta checks. For those familiar with smart contract security, this is a red flag. It breaks the Checks-Effects-Interactions (CEI) pattern — the very thing designed to prevent reentrancy vulnerabilities. And this wasn’t just a small slip-up. It opened the door to cro...

Back in April 2025, I was deep in PancakeSwap’s Infinity Core when I noticed something that didn’t sit right with me. In their Vault.sol, the lock() function was making an external call to lockAcquired() before doing any internal delta checks. For those familiar with smart contract security, this is a red flag. It breaks the Checks-Effects-Interactions (CEI) pattern — the very thing designed to prevent reentrancy vulnerabilities. And this wasn’t just a small slip-up. It opened the door to cro...