PANews, June 18 – According to SlowMist monitoring, Little Boy Plus was attacked, resulting in a loss of approximately 377,642 USDT (about 610.555 BNB). The vulnerability stems from the fact that the _update function in the LBPHashrate contract can be triggered via a zero-value transferFrom call, bypassing OpenZeppelin’s authorization checks. An attacker can call this function without authorization, triggering _harvest and minting LBP tokens to the PancakePair address through LBP.mintReward. The minted LBP increases the pool balance without altering reserves, and the attacker subsequently drains USDT via PancakePair.swap.