The OLPC/LABUBU liquidity pool on PancakeSwap V2 was attacked, causing the loss of approximately $1.11 million in USDT and yielding an estimated net profit of $960,000 for the perpetrator.
Attack Mechanics
On the BNB Chain, the breach triggered an obscure function within the OLPC/LABUBU pair, moving about 10 OLPC tokens into the attacker’s contract. This maneuver led to the burning of roughly 51.9 million OLPC and 124,000 LABUBU tokens from the pool address 0xedb7…f365 to the dead address 0x…dead.
Subsequent transactions drained the LABUBU side of the pool, routing assets through the LABUBU/WBNB and WBNB/USDT pathways. The conversion process generated a total of 1,115,903 USDT, which the attacker later bridged to Ethereum.
Aftermath and Market Implications
Investigators suggest the exploit may stem from the deflationary nature of tokens that burn on transfer, creating reserve imbalances in fixed‑multiplier pools. The mismatch between cached reserves and actual balances gave the attacker a window to siphon funds.
After bridging, the criminal deposited roughly 633.4 ETH into Tornado Cash and transmitted an additional 0.0221 ETH, further obscuring the trail. Investors on the BNB Chain now face heightened scrutiny of liquidity‑pool security, while the incident underscores ongoing vulnerabilities in crypto infrastructure.