Little Boy Plus appears to have suffered a BNB Chain exploit valued at roughly 377,642 USDT, after security reporting pointed to a flaw in its LBPHashrate contract. SlowMist attributed the incident to a zero-value transferFrom path that triggered unauthorized minting behavior.
The affected contract was identified as LBPHashrate at 0x5e3cbc82d020be91a989eb747934104e9ab585fe. SlowMist also identified the attacker as 0x5449ded887576f43fc339851e942ebc1e6f8118b and the victim pair as 0x00e3ea08fd8cbad955ec5d2292ad637670c31524.
🚨SlowMist TI Alert🚨
💸 @LittleBoyPlus has been exploited. Loss: ~377,642 USDT (~610.555 BNB)
🔍 Root Cause: The `LBPHashrate._update()` function (in `0x5e3c…85fe`) is triggered by zero-value `transferFrom` calls, which bypasses OpenZeppelin's allowance check. This allows an…
— SlowMist (@SlowMist_Team) June 18, 2026
Zero-Value Transfer Path Becomes the Failure Point
The reported exploit centered on the LBPHashrate._update() function, which SlowMist said could be triggered by zero-value transferFrom calls. That path bypassed OpenZeppelin’s allowance check and allowed the attacker to call LBPHashrate.transferFrom(pair, DEAD, 0) without authorization from the pair.
🚨 Little Boy Plus (LBP) – Loss ~$367K (2026-06-17)
Token: $LBP @ $0.4339
Network: BNB ChainType: Oracle/Reserve Manipulation (LP-share Hashrate emission inflation)
Attacker flash-loaned 7.77M USDT from Moolah and took 34M USDT from PancakeSwap Infinity Vault via lock/take,…
— Defimon Alerts (@DefimonAlerts) June 17, 2026
That call reportedly triggered _harvest(pair), which then used LBP.mintReward(pair, reward) to mint LBP tokens directly to the PancakePair address. The newly minted tokens increased the pair’s LBP balance without increasing its tracked reserve.
That reserve mismatch created the drain path. With the pool’s accounting skewed, the attacker was able to extract USDT through PancakePair.swap(), turning a narrow transfer-condition flaw into a liquidity-pool loss.
Available security commentary also referenced a BscScan transaction beginning with 0x55856d9fda..., but the full transaction hash was not visible in the accessible source previews. That means the hash should be treated as partially identified until a full post-mortem or explorer trace is published.
Attacker Address and Recovery Status Remain Under Scrutiny
The incident has been tied to attacker address 0x5449ded887576f43fc339851e942ebc1e6f8118b, while the vulnerable LBPHashrate contract is verified on BscScan under the same address cited by security researchers. The affected pair was identified as the LBP/USDT PancakeSwap pair.
The loss figure remains approximately 377,642 USDT, equivalent to about 610.555 BNB in the reporting tied to SlowMist. That amount should still be treated as the current security-tracker estimate rather than a project-confirmed final accounting.
The project had not issued a complete public response at the time of reporting. That leaves recovery status, emergency actions and user-level impact unresolved until Little Boy Plus or an established security firm publishes a fuller incident report.
The exploit also adds to a pattern of BNB Chain incidents where custom reward, mining or transfer logic becomes the attack surface. In this case, the issue was not a broad PancakeSwap failure, but a token-side logic path that distorted the pool’s reserve accounting.
The confirmed security picture is narrow: the LBPHashrate contract was identified as vulnerable, the attacker and victim pair have been attributed, and the loss is estimated near 377,642 USDT. The next needed update is a full transaction trace with the complete hash, block timestamp, flash-loan path and remediation steps.