Little Boy Plus, a BNB Chain mining protocol that advertised no team and no admin keys, was drained of about $377,000 after a logic flaw let an attacker mint its token out of thin air — no stolen key required.
A protocol built to need no trust
Little Boy Plus markets itself as a fully decentralized DeFi mining protocol on BNB Smart Chain, with a fixed supply of 21,000,000 LBP and, in its own words, no team, no pre-mine, and no admin keys. The entire pitch rests on the idea that no privileged party can inflate the token’s supply.
The exploit cut straight through that promise. According to SlowMist, the attacker minted fresh LBP without holding any admin key or compromising a private wallet — the unauthorized mint was reachable through ordinary public contract calls.
How the zero-value transfer bug worked
SlowMist traced the flaw to the LBPHashrate._update() function in the contract at 0x5e3c...585fe, which it said is triggered by zero-value transferFrom calls that bypass OpenZeppelin’s allowance check. That let the attacker call LBPHashrate.transferFrom(pair, DEAD, 0) without the pair’s authorization.
That call triggered _harvest(pair), which minted LBP straight to the PancakePair address via LBP.mintReward(pair, reward). The minted tokens raised the pair’s LBP balance but not its tracked reserve — and that imbalance let the attacker drain the pool’s USDT through PancakePair.swap().
The addresses and the open questions
SlowMist identified the attacker as 0x5449ded887576f43fc339851e942ebc1e6f8118b, the victim pair as 0x00e3ea08fd8cbad955ec5d2292ad637670c31524, and the vulnerable LBPHashrate contract as 0x5e3cbc82d020be91a989eb747934104e9ab585fe, pinning the loss at roughly 377,642 USDT (~610.555 BNB).
As of publication, the Little Boy Plus Foundation had not issued a public statement on the incident, and there was no word on whether any of the drained funds could be recovered.
The latest in a run of BSC reward-logic drains
The attack fits a pattern that has accelerated across BNB Chain through 2026. Just a day earlier, SlowMist flagged the DIP token drain of about $111K, where a transfer bug let skim() double-drain reserves and rewrite an AMM pair’s price, the same structural class of a token’s own logic being coaxed into skewing a PancakeSwap pool.
In February, SOF and LAXO were drained for $438K combined when flash loans turned tiny mining-reward emissions into reserve imbalances. Earlier this month, the ATM token lost about $243K to a transferFrom branch that quietly swapped out extra BSC-USD on each transfer.
The through-line is consistent: small BSC mining and reward tokens keep failing when custom transfer or emission logic can be manipulated to skew PancakeSwap reserves, a class of bug that no amount of “no admin keys” branding can prevent.
Also Read: TesseraDAO TSR Token Crashes 99% Following 99M Token Mint Exploit
