SlowMist warns: BSC protocol Little Boy Plus was hacked, and 377642 USDT was drained

Blockchain security firm SlowMist released a TI Alert on June 18, stating that it monitored a hack of the DeFi mining protocol Little Boy Plus on the BSC chain, resulting in losses of approximately 377,642 USDT (about 610.555 BNB). SlowMist said the vulnerability in this attack exists in the LBPHashrate._update() function.

Root cause: LBPHashrate._update() can bypass the authorization check via zero-value transferFrom

（Source: Etherscan）

According to SlowMist’s technical analysis, the core of the vulnerability is as follows: the attacker does not need to obtain any authorization for the trading pair (pair). They can directly call LBPHashrate.transferFrom(pair, DEAD, 0) (a zero-value transfer). This call does not involve any actual asset transfer, but it bypasses OpenZeppelin’s allowance (allowance) verification mechanism and triggers the internal _harvest(pair) function to execute.

Attack execution path: from zero-value call to PancakePair.swap() draining USDT

Based on SlowMist’s analysis, the on-chain attack flow is: after triggering _harvest(pair), the function calls LBP.mintReward(pair, reward) to directly mint LBP tokens to PancakeSwap’s liquidity pool address.

These free mints of LBP increase the pair’s book balances but do not increase actual reserves, causing a price imbalance in the liquidity pool. The attacker then uses the PancakePair.swap() function to extract all USDT in the pool based on this imbalanced, false exchange rate, completing the attack.

Common questions

What is the root cause of this attack?

According to SlowMist’s technical analysis, the root cause is a flaw in the way the LBPHashrate._update() function handles zero-value transferFrom calls. It allows anyone to trigger the _harvest() function without holding any authorization, leading to unauthorized minting of LBP tokens. This is a smart contract business logic vulnerability, not an issue with any cryptographic algorithm.

Why did the attacker choose zero-value transferFrom as the attack entry point?

According to SlowMist, OpenZeppelin’s standard allowance-checking mechanism typically triggers verification only when the transfer amount is greater than zero. A zero-value transfer bypasses this restriction, allowing the attacker to call internal functions without holding any tokens or authorizations—this is the key breakthrough of the attack.

What is the specific source of the loss figure?

The loss figure comes from SlowMist’s SlowMist TI Alert posted on the X platform (formerly Twitter) on June 18, 2026. The exact number is ~377,642 USDT (~610.555 BNB), which has been verified using SlowMist’s on-chain monitoring tools.