Key Highlights
- The OLPC/LABUBU PancakeSwap pool was exploited, leading to about $1.1 million loss.
- The attacker triggered a token burn bug/mismatch in pool balances, then drained liquidity and swapped it into about 1.11M USDT.
- Funds were quickly moved across chains and partly hidden using tools like Ethereum bridging and Tornado Cash.
On June 20, an attacker drained approximately $1.1 million from the OLPC/LABUBU liquidity pool on PancakeSwap V2 running on the BNB Chain, according to security firm Peckshield.
The attacker took advantage of how the pool handled token balances and quickly drained value from it.
Peckshield suggests that exploit is on the pancakeswap, however social media pundits strongly suspect the incident was a premeditated inside job—often called a “rug pull”—exploiting a fatal logic flaw intentionally planted in the OLPC token’s smart contract.
How the exploit happened
In a detailed X post on Saturday, Security firm ExVul confirmed the exploit, stating that the attack started when a small amount of about 10 OLPC tokens was pushed through a malicious contract. This small action triggered a much bigger reaction inside the system, which then resulted in a massive burn event of approximately 51.9 million OLPC and 124,000 LABUBU sent to a dead address.
This sudden burn caused a big problem inside the liquidity pool because the pool’s internal records no longer matched the real token balances.
In simple terms, the pool became “confused.” It still thought it had certain amounts of tokens, but the real amounts had already changed. Because of this mismatch, the attacker was able to take advantage of the system.
Liquidity pool imbalance and reserve issue
Yu Xian, the founder of SlowMist, confirmed that the issue came from a serious imbalance in the OLPC/LABUBU pair. The pool’s internal logic depends on reserve calculations, but these reserves were pushed out of sync.
The imbalance was reportedly linked to a function in OLPC’s contract where value could be burned based on a multiplier called decimalsValue. Under normal conditions, this value is small.
However, about 46 days before the exploit, the OLPC contract owner reportedly changed decimalsValue to an extremely large number: 7326680472586200649. This change significantly amplified how much OLPC could be burned during certain operations.
A few days later, the OLPC owner renounced ownership of the contract, sending control to a dead address. This meant the parameter could no longer be reversed or corrected.
Triggering the exploit
When the attacker interacted with the system, the inflated decimalsValue was triggered inside the pair’s _update function. This caused an abnormal burn of OLPC tokens, which directly distorted the pool’s reserve balance.
As a result, the OLPC/LABUBU pair became heavily imbalanced. The pool still assumed normal reserves existed, but the actual token amounts had been reduced sharply. This mismatch created an opportunity for the attacker to extract LABUBU at a very low cost using a small OLPC input.
How funds were moved
They drained the LABUBU side of the pool and started moving the stolen tokens through other trading pairs like LABUBU/WBNB and WBNB/USDT. In the end, the attacker managed to convert everything into about 1,115,903 USDT.
The attacker’s wallet involved in the exploit was identified as “0x18d6…4fc188”. The main pool that was attacked had the address “0xedb7…c9f365.” After stealing the funds, the attacker did not stay on one chain for long.
PeckShieldAlert reported that the funds were moved from BNB Chain to Ethereum. On Ethereum, about 633.4 ETH was sent into Tornado Cash, a platform that is often used to hide crypto transactions so it becomes untraceable. Smaller amounts like 0.0221 BNB and 0.0411 ETH were also sent to a dead address, making the funds harder to trace.
PancakeSwap response
Meanwhile, PancakeSwap reacted to the incident in a post, saying it was aware of what happened in the OLPC/LABUBU pool. The platform made it clear that its own smart contracts were not affected.
“Our initial investigation has confirmed that there are no issues with PancakeSwap’s smart contracts,” the team said. They added that they are still investigating and will share updates through official channels.
Wider wave of crypto exploits
This incident adds to a growing list of crypto security breaches that have happened this year. On June 18, Aztec Network’s Private Rollup Bridge was also hit for about $2.165 million, including ETH, DAI, and renBTC. Before that, Axelar also reported an exploit involving around $4.67 million in assets that were moved through a bridge into Secret Network. That attack came from a weakness in a specific smart contract that handles cross-chain transfers.
Axelar later explained that the issue did not affect its main system, only one part of the bridge setup. They paused the affected connections and started working with exchanges and law enforcement to track the stolen funds.
Looking at the bigger picture, many of these attacks this year are not breaking blockchains themselves. Instead, they are taking advantage of mistakes in smart contract logic, token design, or how systems track balances.
So far, these types of exploits have contributed to nearly $400 million in losses this year, including large cases like KelpDAO (around $292 million) and Drift Protocol ($295 million) attacks.
Also Read: Starknet DEX mySwap Hit by $305K Liquidity Pool Exploit
