Verify a decision

{"actor":"system:backfill","investigation_id":"dcedff0c-4e93-46e3-aee0-fc17bdb5a297","kind":"publish","page_slug":"olpc-token-pancakeswap-olpc-labubu-pool","published_at":"2026-06-24T23:03:30.590Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"OLPC Token / PancakeSwap OLPC-LABUBU Pool","sections":[{"content":"On June 20, 2026, a PancakeSwap V2 liquidity pool pairing the OLPC token with the LABUBU token on BNB Chain was exploited. Security firm PeckShield identified and reported the attack on-chain. Losses totaled approximately $1.11 million in USDT-equivalent assets. The attacker's primary wallet was identified by analysts as 0x18d6...4fc188, and the target pool contract was 0xedb7...c9f365. PancakeSwap issued a statement confirming that its own smart contracts contained no vulnerabilities; the exploit originated entirely in the OLPC token contract.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"PancakeSwap Says Smart Contracts Unaffected as OLPC/LABUBU Pool Hack Causes $1.1 Million Loss - BloomingBit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/114666"},{"credibility":2,"name":"BNB Chain OLPC/LABUBU Pool Exploited, $1.11M Stolen - KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/bnb-chain-olpc-labubu-pool-exploited-1-11m-stolen"}]},{"content":"Approximately 46 days before the June 20, 2026 exploit, the OLPC token deployer modified a parameter called decimalsValue within the contract's _update() function, changing it from its standard value of 1 to an astronomically large integer: 7326680472586200649. This parameter controls the multiplier applied to token burn amounts during pool balance updates. Under the normal value of 1, burns are proportional and unremarkable. Under the manipulated value, any transfer routed through the contract triggers burns orders of magnitude larger than intended. Following this modification, the deployer renounced contract ownership, a step security researchers characterized as an attempt to disguise the premeditation of the attack by making the contract appear decentralized and immutable. The 46-day gap between the parameter change and the exploit suggests the deployer waited for liquidity to accumulate in the pool before triggering the attack.","heading":"Premeditated Contract Manipulation (decimalsValue Backdoor)","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"PancakeSwap $OLPC/$LABUBU Pool Suffers $1.1 Million Exploit - FX Daily Report","type":"news_article","url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"}]},{"content":"The exploit leveraged the interaction between the OLPC token's manipulated deflationary mechanism and PancakeSwap V2's constant-product market maker (AMM). The attacker routed approximately 10 OLPC tokens through a purpose-built malicious contract. This transfer triggered the modified _update() function, which caused a burn of approximately 51.9 million OLPC tokens and 124,000 LABUBU tokens, sending both to a dead address (0xed...f365). Critically, PancakeSwap V2's cached reserve values did not update to reflect these burned balances. The pool's internal accounting still showed the pre-burn reserve levels, while actual token balances in the pool had collapsed. This mismatch between cached reserves and real balances produced severely distorted prices in the constant-product formula. The attacker exploited this discrepancy to acquire the remaining LABUBU tokens in the pool at prices far below market value. The drained LABUBU was then routed through LABUBU/WBNB and WBNB/USDT conversion paths to yield approximately 1,115,903 USDT. The attacker's net gain after costs was approximately $960,000.","heading":"Exploit Mechanism: Reserve Desynchronization","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"BNB Chain OLPC/LABUBU Pool Exploited, $1.11M Stolen - KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/bnb-chain-olpc-labubu-pool-exploited-1-11m-stolen"}]},{"content":"Following the exploit, the attacker bridged the stolen proceeds from BNB Chain to the Ethereum network. On Ethereum, the attacker deposited 633.4 ETH into Tornado Cash, a cryptocurrency mixing protocol used to obfuscate the origin and destination of funds. Additionally, small amounts — 0.0221 BNB and 0.0411 ETH — were sent to dead addresses, a tactic sometimes used to create noise in on-chain tracing. The use of Tornado Cash renders direct fund recovery or attribution to a named individual substantially more difficult. Tornado Cash has been the subject of U.S. Treasury OFAC sanctions since August 2022, meaning interaction with it by U.S. persons is prohibited; the attacker's jurisdiction is unknown.","heading":"Fund Movement and Laundering via Tornado Cash","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited For $1.1 Million; Funds Moved To Tornado Cash - BitcoinWorld","type":"news_article","url":"https://bitcoinworld.co.in/pancakeswap-olpc-labubu-pool-hack-1-1-million/"},{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"PancakeSwap Says Smart Contracts Unaffected as OLPC/LABUBU Pool Hack Causes $1.1 Million Loss - BloomingBit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/114666"}]},{"content":"PancakeSwap issued a public statement following the exploit, stating: 'Our initial investigation has confirmed that there are no issues with PancakeSwap's smart contracts.' The platform confirmed the vulnerability was confined to the OLPC token contract itself and did not affect other liquidity pools or user funds on PancakeSwap. The exchange indicated it was continuing to investigate and would share additional findings. PancakeSwap characterized the OLPC/LABUBU pool as a smaller pool on the platform and noted the exploit specifically targeted that pair.","heading":"PancakeSwap Response and Platform Scope","severity":"medium","sources":[{"credibility":2,"name":"PancakeSwap Smart Contracts Not To Blame In $1.1M Pool Hack - BitcoinWorld","type":"news_article","url":"https://bitcoinworld.co.in/pancakeswap-smart-contracts-not-at-fault-hack/"},{"credibility":2,"name":"PancakeSwap Says Smart Contracts Unaffected as OLPC/LABUBU Pool Hack Causes $1.1 Million Loss - BloomingBit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/114666"}]},{"content":"Following the exploit, the OLPC token experienced extreme price volatility. Reports indicate the token declined sharply before surging approximately 6,839% to reach $4,190, then corrected rapidly. This volatility pattern is consistent with the mechanics of the attack: the massive burn of OLPC tokens from the pool reduced supply dramatically, causing an artificial price spike, before market participants recognized the exploit and sold. The LABUBU token was also impacted as its liquidity pool was drained. The broader June 2026 context saw approximately $60.03 million in total crypto losses, including a $32 million Humanity Protocol exploit and drainage of 1,158 ETH from Aztec Network.","heading":"Market Impact and Token Price Volatility","severity":"high","sources":[{"credibility":2,"name":"PancakeSwap $OLPC/$LABUBU Pool Suffers $1.1 Million Exploit - FX Daily Report","type":"news_article","url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"}]},{"content":"Security researchers and reporting outlets have characterized the OLPC incident as a premeditated rug pull rather than an opportunistic exploit of a pre-existing vulnerability. The key indicators supporting this classification are: (1) the decimalsValue parameter was set to an extreme value (7326680472586200649) by the token deployer approximately 46 days before the exploit, suggesting deliberate design; (2) ownership was renounced after the parameter change, creating a false appearance of a decentralized and immutable contract; (3) the attacker deployed a purpose-built malicious contract to route the triggering transaction; and (4) stolen funds were immediately bridged and laundered through Tornado Cash, indicating advance preparation for evasion. Whether the OLPC deployer and the exploit attacker are the same individual or coordinated parties has not been confirmed by any identified regulatory or law enforcement body as of the investigation date.","heading":"Rug Pull Classification and Premeditation Evidence","severity":"critical","sources":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"Watch Out: An Altcoin Liquidity Pool on PancakeSwap Has Been Hacked - Bitcoin Sistemi","type":"news_article","url":"https://en.bitcoinsistemi.com/watch-out-an-altcoin-liquidity-pool-on-pancakeswap-has-been-hacked/"}]},{"content":"As of June 24, 2026, no regulatory body (SEC, CFTC, DOJ, or equivalent international authority) has publicly announced an investigation, charges, or enforcement action related to the OLPC/LABUBU exploit. The use of Tornado Cash by the attacker to launder proceeds implicates OFAC-sanctioned infrastructure; Tornado Cash was designated by the U.S. Treasury's Office of Foreign Assets Control in August 2022. No public identification of the attacker(s) by name has been confirmed. Fund recovery is considered unlikely given the Tornado Cash deposit.","heading":"Regulatory and Law Enforcement Status","severity":"high","sources":[{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited For $1.1 Million; Funds Moved To Tornado Cash - BitcoinWorld","type":"news_article","url":"https://bitcoinworld.co.in/pancakeswap-olpc-labubu-pool-hack-1-1-million/"}]}],"sources_used":[{"credibility":2,"name":"PancakeSwap Labubu Pool Exploited for $1.1M: What Went Wrong - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"credibility":2,"name":"BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch - AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"credibility":2,"name":"PancakeSwap OLPC/LABUBU Pool Exploited For $1.1 Million; Funds Moved To Tornado Cash - BitcoinWorld","type":"news_article","url":"https://bitcoinworld.co.in/pancakeswap-olpc-labubu-pool-hack-1-1-million/"},{"credibility":2,"name":"PancakeSwap $OLPC/$LABUBU Pool Suffers $1.1 Million Exploit - FX Daily Report","type":"news_article","url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"},{"credibility":2,"name":"BNB Chain OLPC/LABUBU Pool Exploited, $1.11M Stolen - KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/bnb-chain-olpc-labubu-pool-exploited-1-11m-stolen"},{"credibility":2,"name":"PancakeSwap Says Smart Contracts Unaffected as OLPC/LABUBU Pool Hack Causes $1.1 Million Loss - BloomingBit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/114666"},{"credibility":2,"name":"PancakeSwap Smart Contracts Not To Blame In $1.1M Pool Hack - BitcoinWorld","type":"news_article","url":"https://bitcoinworld.co.in/pancakeswap-smart-contracts-not-at-fault-hack/"},{"credibility":2,"name":"Watch Out: An Altcoin Liquidity Pool on PancakeSwap Has Been Hacked - Bitcoin Sistemi","type":"news_article","url":"https://en.bitcoinsistemi.com/watch-out-an-altcoin-liquidity-pool-on-pancakeswap-has-been-hacked/"}],"summary":"On June 20, 2026, the OLPC/LABUBU liquidity pool on PancakeSwap V2 (BNB Chain) was exploited for approximately $1.11 million. Security researchers and on-chain analysts determined the attack was premeditated: 46 days before the exploit, the OLPC token deployer had silently set the contract's decimalsValue parameter to an astronomically large value (7326680472586200649), then renounced ownership to obscure their intent. The attacker triggered a massive reserve-desynchronizing burn, drained the pool, converted proceeds to approximately 1,115,903 USDT, bridged to Ethereum, and deposited 633.4 ETH into Tornado Cash.","timeline":[{"date":"2026-05-05","event":"Approximately 46 days before the exploit, the OLPC token deployer changed the contract's decimalsValue parameter from 1 to 7326680472586200649, embedding a backdoor that would dramatically amplify token burns during pool operations.","source":"CryptoTimes / AMBCrypto","source_url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"date":"2026-05-05","event":"OLPC deployer renounced contract ownership after setting the malicious decimalsValue, making the contract appear decentralized and immutable to prospective liquidity providers.","source":"CryptoTimes / AMBCrypto","source_url":"https://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/"},{"date":"2026-06-20","event":"Attacker deployed a malicious contract and routed approximately 10 OLPC tokens through it, triggering the amplified burn function. 51.9 million OLPC and 124,000 LABUBU tokens were burned to a dead address, desynchronizing pool reserves.","source":"CryptoTimes / FX Daily Report / KuCoin","source_url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"},{"date":"2026-06-20","event":"Attacker exploited the reserve mismatch to drain the remaining LABUBU from the pool at severely distorted prices, routing proceeds through LABUBU/WBNB and WBNB/USDT pools to yield approximately 1,115,903 USDT.","source":"CryptoTimes / AMBCrypto","source_url":"https://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/"},{"date":"2026-06-20","event":"Security firm PeckShield identified and reported the exploit on-chain.","source":"FX Daily Report / BloomingBit","source_url":"https://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/"},{"date":"2026-06-20","event":"Stolen funds bridged from BNB Chain to Ethereum. Attacker deposited 633.4 ETH into Tornado Cash. Small amounts (0.0221 BNB, 0.0411 ETH) sent to dead addresses.","source":"BitcoinWorld / CryptoTimes","source_url":"https://bitcoinworld.co.in/pancakeswap-olpc-labubu-pool-hack-1-1-million/"},{"date":"2026-06-20","event":"PancakeSwap issued statement confirming its smart contracts were not at fault and that only the OLPC/LABUBU pool was affected; said it was continuing to investigate.","source":"BloomingBit / BitcoinWorld","source_url":"https://en.bloomingbit.io/feed/news/114666"}]},"v":1}