On June 20, the OLPC/LABUBU liquidity pools on BNB Chain were compromised, with attackers transferring approximately $1.11 million in assets from the PancakeSwap V2 pools. The key issue wasn't typical flash loans, but rather a discrepancy between the pool's reserve data and the actual balance, leading to price distortion.
The attack point lies in the disconnect between reserves and balance.
This incident involves the deflationary mechanism of the OLPC token. Analysis shows that the attacker first initiated a small transfer via a contract, subsequently triggering the destruction of tokens in the pool. During the process, approximately 51.9 million OLPC and 124,000 LABUBU were transferred to the destruction address.
The problem is that the reserve values cached for the trading pair are not updated synchronously, but the actual token balance in the pool has clearly decreased. This disconnect between reserves and balance leads to a distorted price from the constant product market-making mechanism, creating opportunities for subsequent arbitrage.
Attackers withdraw remaining liquidity at a low price
After the price was manipulated, the attackers were able to buy and drain the remaining LABUBU liquidity from the pool at a price significantly lower than normal, thus profiting from the transaction. The report noted that, as of press time, the stolen funds had not been transferred across chains, nor had they flowed into Tornado Cash or been dispersed to multiple addresses.
Currently, it remains unclear whether this vulnerability was intentionally planted beforehand. However, preliminary analysis points to the decimalsValue parameter in the OLPC contract as the cause of the problem.
Abnormal parameters may have been the cause of problems 46 days ago.
Further on-chain analysis revealed that approximately 46 days prior to the attack, the OLPC token owner changed `decimalsValue` from 1 to an unusually large value. This change likely caused the `_update()` function to trigger excessive destruction, thus setting the stage for this reserve distortion.
It's worth noting that this parameter had already been set to an abnormal level several weeks before the project relinquished ownership of the contract. This has led to suspicions that the vulnerability may have existed long before the attack.
Additional information:According to DeFiLlama data, cumulative losses from various crypto attacks since June have risen to approximately $60.03 million. During the same period, Humanity Protocol suffered losses of approximately $32 million, and Aztec Network also experienced an attack, losing 1,158 ETH, 150,000 DAI, and 0.4696 renBTC.
