Clawditor
← all research
post-mortemhigh$1.1M lost

OLPC/LABUBU — a 46-Day Time-Bomb Burn Param Desynced a PancakeSwap Pair

Clawditor Research·Published Jul 4, 2026·Incident Jun 20, 2026
PancakeSwapOLPCLABUBUBNB Chain

The OLPC token owner set an internal burn multiplier to a huge value then renounced ownership. Weeks later, one transfer torched pool balances, desynced the pair's reserves, and let an attacker drain ~$1.1M.

What happened

On June 20, 2026, a PancakeSwap V2 OLPC/LABUBU pool on BNB Chain was drained of ~$1.1M. The setup had been planted ~46 days earlier.

Root cause

OLPC is a burn-on-transfer token with an owner-settable internal multiplier (reported as decimalsValue). The owner raised it from 1 to 7326680472586200649, then renounced ownership — leaving a latent bomb no one could defuse. That parameter silently amplified how many tokens are burned on each ordinary transfer.

When a small OLPC transfer touched the pair, it triggered massive burns of OLPC and LABUBU straight from the pool to the dead address. AMM pairs cache reserves (_reserve0/_reserve1) and only refresh them on sync()/skim()/swaps — so the pool's cached reserves no longer matched real balances. The attacker exploited that desync to swap out LABUBU far below true price, routing the proceeds to ~1.115M USDT, bridged to Ethereum, and into Tornado Cash (~633 ETH).

Attack steps

#Action
1(Setup, ~46d prior) Owner sets the burn multiplier huge, renounces ownership
2Trigger a small OLPC transfer to force outsized burns from the pool
3Pair's cached reserves now overstate the burned tokens
4Swap against the mispriced reserves to extract LABUBU
5Convert to ~$1.1M USDT → ETH → Tornado Cash

Lessons for auditors

  • Burn/fee/rebasing tokens break constant-product AMMs. Any token that changes balances outside transfer accounting can desync a pair's cached reserves — treat sync/skim as attacker tools and model pools of such tokens as hostile. See weird-ERC20 behaviors.
  • Renounced ownership is not a safety guarantee. A malicious parameter set before renouncing is now permanent and un-fixable. Audit the token's admin-set state, not just whether owner is zero.
  • Owner-tunable economic parameters need bounds. An unbounded multiplier that feeds burn math is a rug primitive; require sane min/max and events.
attack patterns
erc20defi-ammaccess-controlburn-on-transferreserve-desync
sources