Skip to main content
Sign in

OLPC / BnbLabubu Token (PancakeSwap Pool Exploit)

avoid.net/olpc-bnblabubu-token-pancakeswap-pool-exploit2/100·88% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·2PEfYu…Q8Bt

Summary

On June 20, 2026, an attacker drained approximately $1.1 million from the OLPC/LABUBU liquidity pool on PancakeSwap V2 (BNB Chain) by exploiting a logic flaw in the OLPC token's _update function, which triggered a massive burn of pool reserves. Approximately 46 days prior to the attack, the OLPC token contract owner had maliciously altered the decimalsValue parameter to an abnormally large integer before renouncing ownership, a sequence that security researchers and analysts widely characterize as a premeditated rug pull disguised as an external exploit. Stolen funds — 633.4 ETH — were bridged to Ethereum and deposited into Tornado Cash.

Connected Entities

1 entities · 10 linked investigations
Tokens
OLPC / BnbLabubu Token (PancakeSwap Pool Exploit)
Relationships
    Also appears in
    edgeX Exchange·28Saga EVM Blockchain·32Mach-O Man Malware Campaign (Lazarus / Chollima)·0Q2 2026 DeFi Record Hack Wave·0Alephium Bridge·18Shunda Park Scam Compound·0Trenton Johnston·0Thorchain DEX·28KuCoin Exchange Hack·32Trove Markets·8
    Have evidence about OLPC / BnbLabubu Token (PancakeSwap Pool Exploit)?

    Timeline(5 events)

    2026-05-05

    Approximately 46 days before the exploit, the OLPC token contract owner changed the decimalsValue parameter from 1 to an extremely large integer (reported as 7326680472586200649), embedding the condition required to trigger disproportionate token burns via the _update function.

    CryptoTimes / AMBCrypto

    2026-05-06

    Following the decimalsValue parameter change, the OLPC contract owner renounced ownership by transferring control to a dead address, making the malicious parameter permanent and irrevocable.

    CryptoTimes / CryptoNews.net

    2026-06-20

    Attacker (wallet 0x18d6...4fc188) routed approximately 10 OLPC tokens through a malicious contract, triggering the _update function and burning 51.9 million OLPC and 124,000 LABUBU tokens to a dead address. The pool reserve desynchronization enabled the attacker to drain remaining LABUBU at heavily discounted prices, extracting approximately $1.11 million (net ~$960,000).

    PeckShield / CryptoTimes / KuCoin News

    2026-06-20

    PeckShield publicly identified and tracked the OLPC/LABUBU pool exploit. SlowMist founder Yu Xian (Cosine) confirmed the OLPC contract's decimalsValue flaw. PancakeSwap issued a statement confirming its own smart contracts were unaffected.

    PancakeSwap (official statement) / AMBCrypto

    2026-06-20

    Attacker bridged stolen funds from BNB Chain to Ethereum and deposited 633.4 ETH into Tornado Cash. An additional 0.0221 BNB and 0.0411 ETH were sent to dead addresses.

    CryptoNews.net / FX Daily Report
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/25/2026, 11:22:52 PM

    last updated: 6/25/2026, 11:23:00 PM

    avoid.net — verified advice for a post-truth world