OLPC And LABUBU Hit By $1.1M BNB Chain Drain After Reserve Desync

A BNB Chain liquidity route involving OLPC and LABUBU was drained for 1,115,903 USDT on June 20 after an attacker exploited a reserve mismatch in a PancakeSwap pair, ExVulSec reported.

The security alert traced the attack to the OLPC-LABUBU pair at 0xedb7dcb4cdfec957f8df5cbf5e94229a6cc9f365. The attacker address was identified as 0x18d6c39ae9e537f948aa2212d44d8c23944fc188.

The route began with a small OLPC transfer of about 10 tokens through the attacker contract. That transaction coincided with roughly 51.9 million OLPC and 124,000 LABUBU moving from the pair to the dead address, sharply reducing the actual token balances inside the pool.

Stale Reserves Let The Attacker Extract LABUBU

The key break was the gap between the pair’s live balances and its cached reserves. After the token balances changed, the pool’s reserve data was not immediately synchronized. The attacker then used the stale reserve state to pull LABUBU from the pair and route the proceeds through LABUBU/WBNB and WBNB/USDT liquidity.

The final exit was 1,115,903 USDT. ExVulSec listed OLPC at 0x58815cdf9955121a6274680ab396a36fc9e00000 and LABUBU at 0x3494dfe19b721dac6c5c8d7470c8f89548177777. The routing pools were LABUBU/WBNB at 0xdfacdc33e913710ead31ee40f9c5363ea673c421 and WBNB/USDT at 0x16b9a82891338f9ba80e2d6970fdda79d1eb0dae.

The public trace points to a reserve-desync drain, not a confirmed protocol-wide issue or a finalized postmortem. ExVulSec said the root cause remained under investigation.

No Final Postmortem Published

No recovery plan or project response had been published at the time of writing. The available onchain read shows a small trigger transfer, large token movement to the dead address, stale reserves, LABUBU extraction and a USDT exit through BNB Chain liquidity.

The case adds to a run of DeFi incidents where balance accounting became the weak point. The Namada MASP drainexposed a separate $600,000 visibility gap in shielded-asset accounting, while a BCE-USDT PancakeSwap drain and the DIP exploit also involved token or routing behavior distorting expected liquidity accounting.