Skip to main content
Sign in

Audit log

Every state-changing event for Little Boy Plus - BSC DeFi Logic Exploit: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-07-01 12:22:50Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 430,091,547
    sig
    2bV6vRXUrdnu…YCAedRkMexplorer ↗
    hash
    29gHBFNmKHrZ…5ghSkQdvsha256 → base58
    verifying row…full verify ↗
    canonical bytes (10905 B) ▸
    {"actor":"system:backfill","investigation_id":"5b99fcf0-9008-45ab-a8ad-41c9f6e6ad40","kind":"publish","page_slug":"little-boy-plus-bsc-defi-logic-exploit","published_at":"2026-07-01T12:22:50.452Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Little Boy Plus - BSC DeFi Logic Exploit","sections":[{"content":"Little Boy Plus (ticker: LBP) is a DeFi mining protocol deployed on BNB Smart Chain. The project's marketing emphasized trustlessness: it claimed no team involvement, no pre-mine, and no admin keys. Its tokenomics centered on a fixed supply of 21 million LBP tokens, drawing a conceptual parallel to Bitcoin's scarcity model. Liquidity was provided through a LBP/USDT pair on PancakeSwap. Hashrate credit — the mechanism governing reward emission — was tracked via a separate LBPHashrate contract, with LP share participation determining how much reward credit a participant accrued.","heading":"Protocol Overview","severity":"medium","sources":[{"credibility":2,"name":"Little Boy Plus Loses $377K After Exploit Targets Minting Bug — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"},{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"}]},{"content":"The vulnerability resided in the LBPHashrate contract (deployed at 0x5e3cbc82d020be91a989eb747934104e9ab585fe) and specifically in its _update() function. According to SlowMist's analysis, the _update function could be triggered via a zero-value transferFrom call, bypassing OpenZeppelin's standard allowance authorization check. By invoking transferFrom(pair, DEAD, 0) without holding any allowance or admin privilege, the attacker caused the contract to call _harvest(pair), which in turn invoked LBP.mintReward() and minted LBP tokens directly to the PancakeSwap LBP/USDT pair address. Because the pair's internal tracked reserves were not updated to reflect the newly minted tokens, the pair's actual LBP balance exceeded its reserve record. The attacker then called PancakePair.swap() to extract USDT against this artificially inflated balance.","heading":"Exploit: Logic Flaw in LBPHashrate Contract","severity":"critical","sources":[{"credibility":2,"name":"SlowMist: Little Boy Plus attacked, losing approximately $378,000 — PANews/PaNews","type":"news_article","url":"https://panews.io/articles/019ed87f-1642-7671-ba1f-85dc4e6316a8"},{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"},{"credibility":2,"name":"Little Boy Plus Loses $377K After Exploit Targets Minting Bug — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"}]},{"content":"A secondary attack vector documented by DARKNAVY involved manipulation of the notifyCredit function (selector 0xc51e31dc). This function calculates hashrate credit using the formula: hashAmount = 2 * lpDelta * currentRUsdt / currentTotalLp, where currentRUsdt is drawn directly from instantaneous pair reserves within the same transaction. The attacker obtained a flash loan of approximately 7,772,960.68 USDT from the Moolah protocol and withdrew an additional approximately 34,088,143.96 USDT from PancakeSwap's Infinity Vault using the lock/take mechanism. These funds were injected into the LBP/USDT pair to inflate the quote-side (USDT) reserve. When the settlement path ran, notifyCredit treated the inflated reserve as a trustworthy input, resulting in the minting of approximately 10.737 million hLBP. Cascading mintReward emissions totaled approximately 207,166.985 LBP, which the attacker sold back into the pair. All temporary liquidity was repaid to Moolah and the Infinity Vault; the permanent loss derived entirely from the artificially emitted reward tokens sold into the market.","heading":"Reserve Manipulation via Flash Loan","severity":"critical","sources":[{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"}]},{"content":"The total loss from the exploit was approximately 377,642 USDT, equivalent to roughly 610.56 WBNB at the time of the attack. The drained funds were subsequently transferred to Tornado Cash, a mixer protocol, making on-chain tracing and potential recovery substantially more difficult. No protocol insurance or compensation fund was identified.","heading":"Financial Impact","severity":"critical","sources":[{"credibility":2,"name":"Little Boy Plus Loses $377K After Exploit Targets Minting Bug — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"},{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"}]},{"content":"The attack was executed from the contract address 0x5449ded887576f43fc339851e942ebc1e6f8118b, which served as both the attack contract and the identified attacker address. A helper EOA (0xb26dfe6b6180a30e2a2d9826867cc7e06631825a) was used to deploy the attack contract. The exploit transaction hash is 0x55856d9fda4c5be5193561c7d775e823c3d6e499da44aab9da963daf61c50b0c, confirmed in block 104727184 on BNB Chain. The identities behind these addresses are not publicly known.","heading":"Attacker Identifiers","severity":"high","sources":[{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"},{"credibility":2,"name":"Little Boy Plus Loses $377K After Exploit Targets Minting Bug — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"}]},{"content":"As of the date of reporting (June 18, 2026), the Little Boy Plus project had issued no public statement regarding the exploit, and no recovery efforts or compensation plans were announced. The protocol's own marketing of 'no team, no admin keys' leaves no obvious administrative authority capable of implementing a patch or coordinating a response. DARKNAVY recommended that future protocols of this type adopt TWAP-based pricing or delayed reserve checkpoints instead of instantaneous reserve reads, implement transaction-level reserve-jump detection, and structurally separate liquidity accounting from reward mechanics.","heading":"Post-Incident Response","severity":"high","sources":[{"credibility":2,"name":"Little Boy Plus Loses $377K After Exploit Targets Minting Bug — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"},{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"}]},{"content":"Security researchers classified this incident as a combined logic exploit and oracle/reserve manipulation attack. The root causes were: (1) an authorization bypass in the ERC-20 transferFrom path of LBPHashrate that allowed any caller to trigger internal harvest and mint functions with a zero-value transfer; and (2) a trust-in-instantaneous-reserves flaw in notifyCredit, which consumed unauthenticated AMM reserve data from within the same transaction, enabling flash-loan-assisted reserve inflation. Neither component required a compromised private key or admin privilege. No audit report for the LBPHashrate contract was referenced in any post-incident coverage.","heading":"Vulnerability Classification","severity":"critical","sources":[{"credibility":2,"name":"SlowMist: Little Boy Plus attacked, losing approximately $378,000 — PANews/PaNews","type":"news_article","url":"https://panews.io/articles/019ed87f-1642-7671-ba1f-85dc4e6316a8"},{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"}]}],"sources_used":[{"credibility":2,"name":"Little Boy Plus Loses $377K After Exploit Targets Minting Bug — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"},{"credibility":2,"name":"Little Boy Plus LP-Share Hashrate Reserve Manipulation — DARKNAVY Blog","type":"research","url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"},{"credibility":2,"name":"SlowMist: Little Boy Plus attacked, losing approximately $378,000 — PANews/PaNews","type":"news_article","url":"https://panews.io/articles/019ed87f-1642-7671-ba1f-85dc4e6316a8"}],"summary":"Little Boy Plus (LBP) is a DeFi mining protocol on BNB Smart Chain that marketed itself as fully decentralized with no team, no pre-mine, and no admin keys, built around a fixed 21 million LBP token supply. On June 17–18, 2026, an attacker exploited a logic flaw in the protocol's LBPHashrate contract to artificially mint reward tokens and drain approximately $377,642 USDT (roughly 610.6 BNB) from the LBP/USDT PancakeSwap liquidity pair. No post-incident statement or recovery effort was announced by the project as of publication.","timeline":[{"date":"2026-06-17","event":"Exploit executed on BNB Chain in block 104727184. Attacker used flash loans and authorization bypass to mint approximately 207,166 LBP tokens and drain approximately 377,642 USDT from the LBP/USDT PancakeSwap pair.","source":"DARKNAVY Blog","source_url":"https://www.darknavy.org/web3/exploits/little-boy-plus-lp-share-hashrate-reserve-manipulation/"},{"date":"2026-06-18","event":"SlowMist published an alert via X/Twitter reporting the attack and approximately $378,000 in losses. Crypto Times and PANews reported the incident.","source":"Crypto Times / PANews","source_url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"},{"date":"2026-06-18","event":"Drained funds sent to Tornado Cash. Little Boy Plus Foundation had issued no public statement as of reporting.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/06/18/little-boy-plus-loses-377k-after-exploit-targets-minting-bug/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision f63aba2c-8788-4efb-83e9-51eb8dabc44c
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.