Verify a decision

{"actor":"system:backfill","investigation_id":"d93f8bac-a89c-4acf-9ac0-1ba862a52279","kind":"publish","page_slug":"olpc-bnblabubu-token-pancakeswap-pool-exploit","published_at":"2026-06-25T23:23:00.392Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"OLPC / BnbLabubu Token (PancakeSwap Pool Exploit)","sections":[{"content":"On June 20, 2026, the OLPC/LABUBU liquidity pool on PancakeSwap V2, operating on BNB Chain, was exploited for approximately $1.11 million. PeckShield first publicly identified and tracked the attack. The attack vector was a logic flaw in the OLPC token's _update function that caused a catastrophic burn of pool reserves, desynchronizing the pair's cached balances from actual token holdings. PancakeSwap subsequently confirmed via a public statement that its own smart contracts were unaffected: 'Our initial investigation has confirmed that there are no issues with PancakeSwap's smart contracts.' Fault was placed entirely on the OLPC token contract. The total crypto attack losses for June 2026 were reported at approximately $60.03 million across the industry, with this exploit representing a notable individual incident.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BNB Chain OLPC/LABUBU Pool Exploited, $1.11M Stolen - KuCoin News","type":"news_article","url":"https://www.kucoin.com/news/flash/bnb-chain-olpc-labubu-pool-exploited-1-11m-stolen"},{"credibility":2,"name":"PancakeSwap Says Smart Contracts Unaffected as OLPC/LABUBU Pool Hack Causes $1.1 Million Loss - Bloomingbit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/114666"}]},{"content":"The attack exploited a reserve desynchronization vulnerability rooted in the OLPC token contract's deflationary mechanism. The attacker routed approximately 10 OLPC tokens through a malicious contract, triggering the _update function. Due to the anomalously large decimalsValue parameter embedded in the contract, this small transfer caused an outsized burn: approximately 51.9 million OLPC and 124,000 LABUBU tokens were sent to a dead address (0xed...f365). The pair's cached reserves, however, did not resynchronize after the balance collapse. This discrepancy between the pool's cached reserve data and its actual token balances created a severe pricing distortion in the constant-product market maker (AMM) formula. The attacker exploited the resulting price dislocation to purchase and drain the remaining LABUBU tokens at heavily discounted prices, extracting approximately 1,115,903 USDT net. The OLPC token experienced extreme price volatility during and after the attack: it crashed to $3.89 before spiking to $4,190 (a reported 6,839% increase), followed by a swift correction. SlowMist founder Yu Xian (known as Cosine) publicly confirmed that the OLPC contract's decimalsValue function, under certain conditions, could burn a quantity of tokens far greater than the amount that triggered the operation — the core mechanism enabling the exploit.","heading":"Technical Mechanism of the Exploit","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"PancakeSwap $OLPC/$LABUBU Pool Suffers $1.1 Million Exploit - FX Daily Report","type":"news_article","url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"}]},{"content":"The most significant indicator of alleged insider involvement is a contract modification made approximately 46 days before the June 20 exploit. The OLPC token contract owner changed the decimalsValue parameter from 1 to an extremely large integer value — reported as 7326680472586200649 — a change that created the precise condition required for the _update function to trigger disproportionate token burns. Following this parameter change, the contract owner renounced ownership by transferring control to a dead address, thereby making the modification permanent and irrevocable before any external party could detect or reverse it. Security researchers and analysts widely characterize this sequence — deliberate parameter manipulation followed by ownership renunciation — as a premeditated rug pull architecture. The vulnerability is alleged to have been intentionally embedded in the contract and designed to be triggered at a later time. It remains unconfirmed whether the attacker who executed the June 20 transaction was the same party as the original OLPC contract owner, or a separate actor who identified the embedded vulnerability.","heading":"Alleged Premeditation: The decimalsValue Parameter Change","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited for $1.1 Million; Funds Moved to Tornado Cash - CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/33038552/"}]},{"content":"Following the exploit, the attacker swept LABUBU through the WBNB/USDT and LABUBU/WBNB pools and ultimately extracted approximately 1,115,903 USDT. The stolen funds were subsequently bridged from BNB Chain to Ethereum. The attacker deposited 633.4 ETH into Tornado Cash, a cryptocurrency mixing service used to obscure transaction trails. Additionally, 0.0221 BNB and 0.0411 ETH were sent to dead addresses. The use of Tornado Cash is consistent with patterns observed in deliberate theft and exit scam scenarios. As of reporting, no recovery of funds had been announced.","heading":"Fund Movement and Obfuscation","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited for $1.1 Million; Funds Moved to Tornado Cash - CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/33038552/"},{"credibility":2,"name":"PancakeSwap $OLPC/$LABUBU Pool Suffers $1.1 Million Exploit - FX Daily Report","type":"news_article","url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"},{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited For $1.1 Million; Funds Moved To Tornado Cash - Bitcoin World","type":"news_article","url":"https://bitcoinworld.co.in/pancakeswap-olpc-labubu-pool-hack-1-1-million/"}]},{"content":"PeckShield was the first security firm to publicly identify and track the attack on June 20, 2026. SlowMist founder Yu Xian (Cosine) publicly confirmed the nature of the OLPC contract flaw, noting that the decimalsValue function could burn tokens far in excess of any triggering amount under certain conditions. PancakeSwap issued a public statement confirming no issues existed with its own smart contracts. PeckShield's identification of the exploit placed it in the category of token contract vulnerabilities rather than AMM protocol flaws, a categorization consistent with PancakeSwap's own assessment. No law enforcement referrals or on-chain bounty recovery mechanisms were publicly announced as of reporting.","heading":"Security Researcher Attribution and Response","severity":"high","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"PancakeSwap Says Smart Contracts Unaffected as OLPC/LABUBU Pool Hack Causes $1.1 Million Loss - Bloomingbit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/114666"}]},{"content":"The OLPC/LABUBU exploit is representative of a documented category of DeFi attack in which deflationary or burn-on-transfer token mechanics create reserve desynchronization vulnerabilities in AMM liquidity pools. PancakeSwap V2 and similar constant-product market makers assume that token balances within a pool only change through explicit swap or liquidity operations tracked by the contract. Tokens with external burn mechanisms that fire during transfers can violate this assumption, creating exploitable pricing distortions. The June 2026 incident underscores persistent risks associated with listing low-liquidity or algorithmically novel tokens in permissionless AMM pools without prior security audits. This exploit occurred against the backdrop of $60.03 million in total crypto losses for June 2026, per DeFiLlama data cited in reporting.","heading":"Broader DeFi Risk Context","severity":"medium","sources":[{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"PancakeSwap $OLPC/$LABUBU Pool Suffers $1.1 Million Exploit - FX Daily Report","type":"news_article","url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"}]},{"content":"The identities behind the OLPC token project and the attacker wallet (0x18d6...4fc188) are not publicly known as of reporting. No team has publicly claimed responsibility for the OLPC project, and no individual or organization has been formally attributed as the exploiter. It is alleged but unconfirmed that the OLPC token deployer and the attacker are the same actor or coordinated parties, given the precise alignment between the pre-planted decimalsValue manipulation and the exploit method used. The LABUBU token referenced in this incident appears to be a BNB Chain meme token distinct from the broader Labubu/Pop Mart collectible brand, which has no known association with this DeFi incident.","heading":"Identity and Attribution Unknowns","severity":"high","sources":[{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited for $1.1 Million; Funds Moved to Tornado Cash - CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/33038552/"},{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"}]}],"sources_used":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited for $1.1 Million; Funds Moved to Tornado Cash - CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/33038552/"},{"credibility":2,"name":"PancakeSwap $OLPC/$LABUBU Pool Suffers $1.1 Million Exploit - FX Daily Report","type":"news_article","url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"},{"credibility":2,"name":"BNB Chain OLPC/LABUBU Pool Exploited, $1.11M Stolen - KuCoin News","type":"news_article","url":"https://www.kucoin.com/news/flash/bnb-chain-olpc-labubu-pool-exploited-1-11m-stolen"},{"credibility":2,"name":"PancakeSwap Says Smart Contracts Unaffected as OLPC/LABUBU Pool Hack Causes $1.1 Million Loss - Bloomingbit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/114666"},{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited For $1.1 Million; Funds Moved To Tornado Cash - Bitcoin World","type":"news_article","url":"https://bitcoinworld.co.in/pancakeswap-olpc-labubu-pool-hack-1-1-million/"}],"summary":"On June 20, 2026, an attacker drained approximately $1.1 million from the OLPC/LABUBU liquidity pool on PancakeSwap V2 (BNB Chain) by exploiting a logic flaw in the OLPC token's _update function, which triggered a massive burn of pool reserves. Approximately 46 days prior to the attack, the OLPC token contract owner had maliciously altered the decimalsValue parameter to an abnormally large integer before renouncing ownership, a sequence that security researchers and analysts widely characterize as a premeditated rug pull disguised as an external exploit. Stolen funds — 633.4 ETH — were bridged to Ethereum and deposited into Tornado Cash.","timeline":[{"date":"2026-05-05","event":"Approximately 46 days before the exploit, the OLPC token contract owner changed the decimalsValue parameter from 1 to an extremely large integer (reported as 7326680472586200649), embedding the condition required to trigger disproportionate token burns via the _update function.","source":"CryptoTimes / AMBCrypto","source_url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"date":"2026-05-06","event":"Following the decimalsValue parameter change, the OLPC contract owner renounced ownership by transferring control to a dead address, making the malicious parameter permanent and irrevocable.","source":"CryptoTimes / CryptoNews.net","source_url":"https://cryptonews.net/news/security/33038552/"},{"date":"2026-06-20","event":"Attacker (wallet 0x18d6...4fc188) routed approximately 10 OLPC tokens through a malicious contract, triggering the _update function and burning 51.9 million OLPC and 124,000 LABUBU tokens to a dead address. The pool reserve desynchronization enabled the attacker to drain remaining LABUBU at heavily discounted prices, extracting approximately $1.11 million (net ~$960,000).","source":"PeckShield / CryptoTimes / KuCoin News","source_url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"date":"2026-06-20","event":"PeckShield publicly identified and tracked the OLPC/LABUBU pool exploit. SlowMist founder Yu Xian (Cosine) confirmed the OLPC contract's decimalsValue flaw. PancakeSwap issued a statement confirming its own smart contracts were unaffected.","source":"PancakeSwap (official statement) / AMBCrypto","source_url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"date":"2026-06-20","event":"Attacker bridged stolen funds from BNB Chain to Ethereum and deposited 633.4 ETH into Tornado Cash. An additional 0.0221 BNB and 0.0411 ETH were sent to dead addresses.","source":"CryptoNews.net / FX Daily Report","source_url":"https://cryptonews.net/news/security/33038552/"}]},"v":1}