PANews, June 20 – SlowMist Security founder Yu Xian published a post-mortem on the BNB Chain PancakeSwap OLPC/LABUBU liquidity pool theft, pointing out multiple suspicious manual operations in this attack.

The root cause of the pool being drained lies in an exploitable logic vulnerability in the OLPC token contract: the contract’s _update function, when specific conditions are met, can destroy an amount of OLPC tokens equal to value * decimalsValue. Under normal circumstances, the decimalsValue defaults to 1, but approximately 46 days before the attack, the token owner maliciously modified this parameter to an extremely large value of 7326680472586200649. Several days after the modification, the project party directly discarded the contract owner admin privileges, resetting the authority to the zero address.

After the parameter was tampered with, the fund ratio in the OLPC and LABUBU trading pair became severely imbalanced. The attacker exploited the distorted decimalsValue to trigger the pool reserve destruction logic, exchanging a large amount of LABUBU from the pool with only a small input of OLPC, and ultimately cashed out, transferring out a total of 1.115 million USDT.