Skip to content
Active Currencies: 17,413
Market Cap: $2.280T
Bitcoin Dominance: 56.23%
24h Market Cap Change: $0.70

BnbLabubu exploit drains $1.1mln after OLPC reserve mismatch – Details

How did the attacker obtain 1.115 million USDT using a reserve desynchronization bug?

Written by Written by Ishika Kumari
Reviewed by Reviewed by Renuka Tahelyani
Updated June 21, 2026
OLPC/LABUBU got attacked, $1.1 million drained

Another day, another exploit.

On the 20th of June, an attacker stole approximately $1.11 million worth of assets. This was done by taking advantage of the OLPC/LABUBU liquidity pool on PancakeSwap V2 on the BNB Chain.

The attack exploited a flaw in how the pool’s constant-product market maker interacted with OLPC’s deflationary mechanism.

While the pair’s cached reserves remained unchanged, its actual token balances collapsed after a small transfer from the attacker’s contract. That transfer triggered the burn of roughly 51.9 million OLPC and 124,000 LABUBU tokens from the pool to a dead address.

Further details of the attack

The reserve mismatch created a severe pricing distortion.

As a result, the attacker bought and drained the remaining LABUBU at heavily discounted prices.

At the time of writing, it remained unclear whether the vulnerability had been intentionally introduced long before the attack.

However, preliminary analysis suggested the exploit may have stemmed from a previously modified decimalsValue parameter in the OLPC contract.

How did this vulnerability originate? 

A more in-depth analysis suggests that this exploit appears to have stemmed from a long-standing flaw in the OLPC token. About 46 days before the attack, the token owner changed the decimalsValue parameter from 1 to an enormous number. This enabled excessive token burns through the _update() function.

The incident has also raised suspicions.

Weeks before ownership was renounced, the OLPC contract’s decimalsValue had already been set to an unusually high level.

That timing suggested the flaw may have been embedded long before the exploit occurred.

Notably, there have been no reports of the stolen funds moving to other chains, entering Tornado Cash, or being distributed across multiple wallets.

Attacks in June

With another exploit, the total value of hacks in June to date has reached $60.03 million, according to DeFiLlama data. 

Monthly hacks in 2026
Source: DeFiLlama

This coincided with Humanity Protocol [H] experiencing a significant exploit, which caused losses of about $32 million. Aztec Network saw yet another notable exploit resulting in the drainage of 1,158 Ethereum [ETH], 150,000 DAI, and 0.4696 renBTC. 

Additionally, UXLink, which was targeted back in September 2025, recently witnessed the attacker transferring approximately $8.1 million in Ethereum into Tornado Cash.

Final Summary

  • The attack took advantage of a reserve desynchronization vulnerability brought on by the deflationary mechanisms of the OLPC token.
  • Before exchanging the profits, the attacker was able to drain LABUBU liquidity at advantageous rates due to the resulting pricing distortion.
Disclaimer: AMBCrypto's content is meant to be informational in nature and should not be interpreted as investment advice. Trading, buying or selling cryptocurrencies should be considered a high-risk investment and every reader is advised to do their own research before making any decisions.

Ishika Kumari

Journalist

Ishika Kumari is a Crypto Analyst at AMBCrypto, specializing in regulatory developments, market dynamics, and blockchain’s real-world impact. She breaks down complex protocols and legislation into practical, easy-to-understand insights.

Related Articles

AMBCrypto
Facebook X Instagram Youtube Linkedin

AMBCrypto was founded in 2018 with a mission to simplify and bring the latest blockchain and cryptocurrency news to our readers. We have quickly grown into the digital news source for an emerging generation of cryptocurrency enthusiasts, reaching more than a million readers on a monthly basis, across the globe.