What happened
On June 20, 2026, a PancakeSwap V2 OLPC/LABUBU pool on BNB Chain was drained of ~$1.1M. The setup had been planted ~46 days earlier.
Root cause
OLPC is a burn-on-transfer token with an owner-settable internal multiplier (reported as decimalsValue). The owner raised it from 1 to 7326680472586200649, then renounced ownership — leaving a latent bomb no one could defuse. That parameter silently amplified how many tokens are burned on each ordinary transfer.
When a small OLPC transfer touched the pair, it triggered massive burns of OLPC and LABUBU straight from the pool to the dead address. AMM pairs cache reserves (_reserve0/_reserve1) and only refresh them on sync()/skim()/swaps — so the pool's cached reserves no longer matched real balances. The attacker exploited that desync to swap out LABUBU far below true price, routing the proceeds to ~1.115M USDT, bridged to Ethereum, and into Tornado Cash (~633 ETH).
Attack steps
| # | Action |
|---|---|
| 1 | (Setup, ~46d prior) Owner sets the burn multiplier huge, renounces ownership |
| 2 | Trigger a small OLPC transfer to force outsized burns from the pool |
| 3 | Pair's cached reserves now overstate the burned tokens |
| 4 | Swap against the mispriced reserves to extract LABUBU |
| 5 | Convert to ~$1.1M USDT → ETH → Tornado Cash |
Lessons for auditors
- Burn/fee/rebasing tokens break constant-product AMMs. Any token that changes balances outside
transferaccounting can desync a pair's cached reserves — treatsync/skimas attacker tools and model pools of such tokens as hostile. See weird-ERC20 behaviors. - Renounced ownership is not a safety guarantee. A malicious parameter set before renouncing is now permanent and un-fixable. Audit the token's admin-set state, not just whether
owneris zero. - Owner-tunable economic parameters need bounds. An unbounded multiplier that feeds burn math is a rug primitive; require sane min/max and events.