BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch – Details

Another day, another exploit. On the 20th of June, an attacker stole approximately $1.11 million worth of assets. This was done by taking advantage of the OLPC/LABUBU liquidity pool on PancakeSwap V2 on the BNB Chain. The attack exploited a flaw in how the pool’s constant-product market maker interacted with OLPC’s deflationary mechanism. While the pair’s cached reserves remained unchanged, its actual token balances collapsed after a small transfer from the attacker’s contract. That transfer triggered the burn of roughly 51.9 million OLPC and 124,000 LABUBU tokens from the pool to a dead address. Further details of the attack The reserve mismatch created a severe pricing distortion. As a result, the attacker bought and drained the remaining LABUBU at heavily discounted prices. At the time of writing, it remained unclear whether the vulnerability had been intentionally introduced long before the attack. However, preliminary analysis suggested the exploit may have stemmed from a previously modified decimalsValue parameter in the OLPC contract. How did this vulnerability originate? A more in-depth analysis suggests that this exploit appears to have stemmed from a long-standing flaw in the OLPC token. About 46 days before the attack, the token owner changed the decimalsValue parameter from 1 to an enormous number. This enabled excessive token burns through the _update() function. The incident has also raised suspicions. Weeks before ownership was renounced, the OLPC contract’s decimalsValue had already been set to an unusually high level. That timing suggested the flaw may have been embedded long before the exploit occurred. Notably, there have been no reports of the stolen funds moving to other chains, entering Tornado Cash, or being distributed across multiple wallets. Attacks in June With another exploit, the total value of hacks in June to date has reached $60.03 million, according to DeFiLlama data. Source: DeFiLlama This coincided with Humanity Protocol [H] experiencing a significant exploit, which caused losses of about $32 million. Aztec Network saw yet another notable exploit resulting in the drainage of 1,158 Ethereum [ETH], 150,000 DAI, and 0.4696 renBTC. Additionally, UXLink, which was targeted back in September 2025, recently witnessed the attacker transferring approximately $8.1 million in Ethereum into Tornado Cash. Final Summary The attack took advantage of a reserve desynchronization vulnerability brought on by the deflationary mechanisms of the OLPC token. Before exchanging the profits, the attacker was able to drain LABUBU liquidity at advantageous rates due to the resulting pricing distortion.