OLPC/LABUBU Hack 2026 — $1M Exploit Analysis

A PancakeSwap liquidity pool for OLPC/LABUBU tokens was drained for $1.1M after a malicious contract parameter, set 46 days earlier, caused massive token burns that desynchronized pool reserves.

Details

Full Description

On June 20, 2026, the OLPC/LABUBU trading pair on PancakeSwap V2 on BNB Chain was drained for 1,115,903 USDT. Approximately 46 days before the attack, the token owner changed the decimalsValue parameter from 1 to 7326680472586200649. Several days later, ownership was renounced, locking the parameter. The _update function burned tokens equal to value * decimalsValue. The attacker sent a small OLPC transfer, triggering burns of ~51.9M OLPC and 124K LABUBU to a dead address. This desynchronized cached reserves from actual balances. The attacker extracted LABUBU at distorted prices and exited with 1,115,903 USDT.

Laundering Analysis

Attacker bridged USDT from BNB Chain to Ethereum and deposited 633.4 ETH into Tornado Cash. Small test transfers were made to a long-unused address. No recovery reported.

Sources

Transaction Hashes

Related Hacks

Back to Browse