金色财经|Jun 18, 2026 02:03
[SlowMist: Little Boy Plus Hacked, Approximately $370,000 Lost]
According to a report by Jinse Finance on June 18, SlowMist monitoring revealed that the DeFi mining protocol Little Boy Plus on BSC was hacked, resulting in a loss of approximately $370,000 (around 610.555 BNB). The root cause was the `LBPHashrate._update()` function (located at `0x5e3c...85fe`) being triggered by a zero-value `transferFrom` call, bypassing OpenZeppelin's authorization checks. This allowed the attacker to call `LBPHashrate.transferFrom(pair, DEAD, 0)` without pair authorization, thereby triggering `_harvest(pair)`. This function directly minted LBP tokens to the PancakePair address via `LBP.mintReward(pair, reward)`. The minted LBP increased the pair's balance but did not increase its reserves, enabling the attacker to drain USDT through `PancakePair.swap()`.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink