Skip to content
Est. MMXXVIVol. VI · № 300RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 297Smart Contract Bug

BnbLabubu OLPC/LABUBU Reserve-Mismatch Exploit

A deflationary-burn flaw in the OLPC token created a reserve mismatch on a PancakeSwap V2 pool, letting an attacker buy out LABUBU at a distorted price and drain about $1.1M.

Date
Victim
BnbLabubu (OLPC/LABUBU pool)
Chain(s)
BNB Chain
Status
Funds Stolen

On June 20, 2026, the OLPC/LABUBU liquidity pool on PancakeSwap V2 (BNB Chain) — part of the BnbLabubu meme-token project — was drained of approximately $1.1 million when a deflationary-burn flaw in the OLPC token created a reserve mismatch that the attacker exploited to buy out the pool's LABUBU at a distorted price.

What happened

PancakeSwap V2 pairs price assets with a constant-product (x·y=k) formula against cached reserves that are only synced on swaps and mints. OLPC, however, was a deflationary token whose _update() logic burned tokens on transfer. Roughly 46 days before the attack, OLPC's owner had changed the token's decimalsValue parameter from 1 to an enormous number — a change that enabled outsized burns — before renouncing ownership. The attacker sent a small transfer into the pair that triggered the burn of about 51.9 million OLPC and 124,000 LABUBU from the pool to a dead address, while the pair's cached reserves stayed unchanged. The gap between the cached reserves and the pool's real balances created a severe pricing distortion, and the attacker bought up the remaining LABUBU at a steep discount, converting the loot into roughly 1,115,903 USDT.

Aftermath

The exploiter bridged the proceeds to Ethereum and deposited about 633 ETH into Tornado Cash, laundering the funds; none were recovered. PancakeSwap stated that its own smart contracts were not at fault and that the issue stemmed from the OLPC token's configuration, and said it was continuing to investigate.

Why it matters

The incident is another reminder that fee-on-transfer and deflationary tokens break the core AMM invariant: constant-product pools assume a token's balanceOf equals the cached reserves, and any token that silently burns or rebases its balance opens a reserve-mismatch attack — the same class that has repeatedly bitten BNB Chain pools since PancakeBunny. It also shows how a single attacker-friendly parameter set before ownership renouncement (DIP Token) can sit dormant for weeks before anyone weaponizes it, and how cheaply launderable meme-token liquidity remains a favored target.

Sources & on-chain evidence

  1. [01]ambcrypto.comhttps://ambcrypto.com/bnblabubu-exploit-drains-1-1mln-after-olpc-reserve-mismatch-details/
  2. [02]cryptotimes.iohttps://www.cryptotimes.io/2026/06/20/pancakeswap-labubu-pool-exploited-for-1-1m-what-went-wrong/
  3. [03]cryptonews.nethttps://cryptonews.net/news/security/33038552/
  4. [04]kucoin.comhttps://www.kucoin.com/news/flash/bnb-chain-olpc-labubu-pool-exploited-1-11m-stolen
  5. [05]fxdailyreport.comhttps://fxdailyreport.com/pancakeswap-olpc-labubu-pool-suffers-1-1-million-exploit/

Related filings