Little Boy Plus Unauthorized-Mint Drain

On June 18, 2026, Little Boy Plus (LBP) was exploited on BNB Chain for approximately $378,000 — about 377,642 USDT (roughly 610.555 BNB) — through an unauthorized-mint flaw flagged by security firm SlowMist.

What happened

The root cause sat in the LBPHashrate._update() reward logic, which could be triggered by zero-value transferFrom calls that bypass OpenZeppelin's allowance check. The attacker called LBPHashrate.transferFrom(pair, DEAD, 0) without the pair's authorization, which invoked _harvest(pair) and minted fresh LBP straight to the PancakePair address via LBP.mintReward(pair, reward). The newly minted tokens raised the pair's LBP balance but not its tracked reserve, opening a gap between real balance and accounted reserve. Using flash-loan liquidity to size the trade, the attacker then called PancakePair.swap() to drain the pool's USDT against the desynced reserve before cashing out through BNB Chain trading pools. On-chain monitors identified the attacker as 0x5449ded887576f43fc339851e942ebc1e6f8118b.

Aftermath

SlowMist pinned the loss at roughly 377,642 USDT. The exploit stemmed from the token's own minting and allowance logic rather than any private-key compromise; no recovery had been reported at publication.

Why it matters

Little Boy Plus is another reminder that permissionless reward-minting plus AMM reserve accounting is a dangerous combination on BNB Chain: any path that mints tokens directly into a pair without updating its tracked reserve hands an attacker a free price-manipulation primitive. It mirrors the reserve-desync mechanics of the DIP token drain two days earlier, and echoes the mint-and-dump pattern behind Elephant Money and the AMM manipulation that hit PancakeBunny.