Clawditor
← all research
post-mortemmedium$377K lost

Little Boy Plus — Flash-Loaned Reserve Inflation Forced an Oversized Mint

Clawditor Research·Published Jul 4, 2026·Incident Jun 17, 2026
Little Boy PlusPancakeSwapMoolahBNB Chain

A 'no admin keys' BSC mining protocol trusted a PancakeSwap pair reserve for its hashrate accounting. A flash loan skewed that reserve and minted hashrate out of thin air.

What happened

On June 17, 2026, Little Boy Plus — a BSC "fully decentralized, no team, no admin keys" mining protocol — was exploited for ~$377K of retained value (realized as ~610 WBNB).

Root cause

The LBPHashrate contract's _update() / notifyCredit logic derived a user's minted "hashrate" from the live reserve of the LBP/USDT PancakeSwap pair — a spot value an attacker can move within a single transaction. There was no TWAP and no manipulation guard.

Attack steps

#Action
1Flash loan ~7.77M USDT (Moolah) + pull ~34M USDT from a PancakeSwap Infinity Vault
2Inflate the LBP/USDT pair reserve that notifyCredit trusts
3Trigger an oversized hashrate mint against the skewed reserve
4Unwind the temporary liquidity; exit via a WBNB pair
5Retain ~377,642 USDT of value as ~610 WBNB

Lessons for auditors

  • Never price protocol accounting off a spot DEX reserve. Same class as an oracle-manipulation bug: a flash loan makes a single-block reserve fully attacker-controlled. Use manipulation-resistant oracles / TWAPs, or checkpoint reserves across blocks.
  • "No admin keys" is a marketing claim, not a security property. Decentralized minting logic that trusts manipulable inputs is exploitable regardless of key custody.
  • Reason about the flash-loaned worst case. For any value read mid-transaction, ask: what if the caller can set it to anything this block?
attack patterns
defi-ammflashloansprecision-mathoracle-manipulationreserve-manipulation
sources