What happened
On June 17, 2026, Little Boy Plus — a BSC "fully decentralized, no team, no admin keys" mining protocol — was exploited for ~$377K of retained value (realized as ~610 WBNB).
Root cause
The LBPHashrate contract's _update() / notifyCredit logic derived a user's minted "hashrate" from the live reserve of the LBP/USDT PancakeSwap pair — a spot value an attacker can move within a single transaction. There was no TWAP and no manipulation guard.
Attack steps
| # | Action |
|---|---|
| 1 | Flash loan ~7.77M USDT (Moolah) + pull ~34M USDT from a PancakeSwap Infinity Vault |
| 2 | Inflate the LBP/USDT pair reserve that notifyCredit trusts |
| 3 | Trigger an oversized hashrate mint against the skewed reserve |
| 4 | Unwind the temporary liquidity; exit via a WBNB pair |
| 5 | Retain ~377,642 USDT of value as ~610 WBNB |
Lessons for auditors
- Never price protocol accounting off a spot DEX reserve. Same class as an oracle-manipulation bug: a flash loan makes a single-block reserve fully attacker-controlled. Use manipulation-resistant oracles / TWAPs, or checkpoint reserves across blocks.
- "No admin keys" is a marketing claim, not a security property. Decentralized minting logic that trusts manipulable inputs is exploitable regardless of key custody.
- Reason about the flash-loaned worst case. For any value read mid-transaction, ask: what if the caller can set it to anything this block?