Little Boy Plus on BNB Chain was exploited on 2026-06-17T08:35:38Z through a reserve-manipulation flaw in its LP-backed hashrate credit path. The attacker used a 7,772,960.679833989887601242 USDT flash loan from Moolah together with 34,088,143.961844099311594944 USDT pulled from PancakeSwap Infinity Vault, inflated the LBP/USDT pair reserve that notifyCredit trusted, and forced an oversized hashrate mint. That inflated credit path minted about 10.737 million hLBP and then triggered repeated downstream mintReward emissions totaling about 207,166.985 LBP, which the attacker dumped back into the pair. After unwinding the temporary liquidity, the attacker exited through a WBNB pair and retained about 377,642.57084995696 USDT of value, realized as 610.5557863309339 WBNB.

Root Cause

Vulnerable Contract

LBPHashrate at 0x5e3cbc82d020be91a989eb747934104e9ab585fe is the primary vulnerable contract. It is not a proxy. The source confidence is high because the contract source is verified on-chain and the exploit path aligns with the observed execution trace and emitted transfer events.

Vulnerable Function

The vulnerable entry is notifyCredit(address,uint256,uint256,uint256) with selector 0xc51e31dc. This function is reached from Little Boy Plus token settlement when an LP add is recognized, and it treats the caller-supplied post-mint USDT reserve and LP supply as trustworthy inputs for hashrate emission. In this transaction the attacker forced that path to run after inflating the pair’s quote-side reserve, so the reserve-dependent mint calculation materially overstated the LP position’s economic value.

Vulnerable Code

function notifyCredit(
    address user,
    uint256 lpDelta,
    uint256 currentRUsdt,
    uint256 currentTotalLp
) external onlyLBP nonReentrant returns (address refToReward, uint256 hashrateUsed) {
    if (user == address(0) || lpDelta == 0 || user == DEAD) return (address(0), 0);
    if (currentTotalLp == 0) return (address(0), 0);

    uint256 hashAmount = 2 * lpDelta * currentRUsdt / currentTotalLp; // <-- VULNERABILITY: trusts manipulable post-mint pair reserves from the same transaction

    unchecked {
        registeredLp[user] += lpDelta;
    }

    if (hashAmount == 0) {
        emit HashrateCredited(user, lpDelta, 0);
        return (address(0), 0);
    }

    _mint(user, hashAmount); // <-- VULNERABILITY: mints inflated hashrate directly from the manipulated reserve-derived amount
    emit HashrateCredited(user, lpDelta, hashAmount);
}

Why It’s Vulnerable

Expected behavior: LP-backed reward credit should reflect the fair economic value of the user’s added liquidity, using reserve data that cannot be distorted inside the same settlement path or by transient same-transaction liquidity injections.

Actual behavior: the settlement path in LBP passes post-mint pair state directly into notifyCredit, and notifyCredit computes hashAmount from lpDelta, currentRUsdt, and currentTotalLp without defending against same-transaction reserve inflation. The attacker first assembled temporary USDT liquidity, then pushed a large USDT amount into the LBP/USDT pair immediately before the credit path settled. That made the quote-side reserve look much larger at the exact moment notifyCredit priced the LP share, so the contract minted about 10.737 million hLBP from what was effectively transient and attacker-controlled reserve state.

Because Little Boy Plus then uses the hashrate state to emit LBP via mintReward, the manipulated credit did not stop at a bookkeeping error. It cascaded into real LBP emissions that the attacker could transfer into the pair and sell for USDT, turning the reserve distortion into realized profit.

Attack Execution

High-Level Flow

  1. The attacker EOA created an ephemeral helper chain that deployed the primary attack contract.
  2. The attack contract borrowed 7,772,960.679833989887601242 USDT from Moolah and pulled 34,088,143.961844099311594944 USDT from PancakeSwap Infinity Vault through lock and take.
  3. The attacker injected USDT into the LBP/USDT pair and triggered the LBP LP-settlement path so LBPHashrate.notifyCredit priced the LP share against an inflated post-mint USDT reserve.
  4. The manipulated settlement minted about 10.737 million hLBP and then caused repeated mintReward calls that emitted about 207,166.985 LBP, including about 23,018.554 LBP directly to the attacker and about 115,092.770 LBP to the pair.
  5. The attacker transferred emitted LBP back into the pair, sold out into USDT, repaid temporary liquidity, and swapped the retained profit into 610.5557863309339 WBNB.

Detailed Call Trace

The attacker EOA 0xb26dfe6b6180a30e2a2d9826867cc7e06631825a first created helper contracts, with the main exploit logic executing from 0x5449ded887576f43fc339851e942ebc1e6f8118b. That contract called flashLoan(address,uint256,bytes) on Moolah’s proxy 0x8f73b65b4caaf64fba2af91cc5d4a2a1318e5d8c, which delegated to implementation 0x9321587ea0dc8247f8f03e8696c047b2713bb79a and transferred 7,772,960.679833989887601242 USDT into the attacker contract. In the flash-loan callback, the attacker contract called lock(bytes) on PancakeSwap Infinity Vault 0x238a358808379702088667322f80ac48bad5e6c4, received the lock callback, checked the vault USDT balance, and then called take(address,address,uint256) to withdraw 34,088,143.961844099311594944 USDT from the vault.

With the temporary liquidity assembled, the attacker pushed USDT into the LBP/USDT pair 0x00e3ea08fd8cbad955ec5d2292ad637670c31524 and drove the Little Boy Plus settlement path. During that path, LBP called notifyCredit(address,uint256,uint256,uint256) on LBPHashrate. The calldata for that call shows a large LP delta together with a current USDT reserve of about 21.231876 million USDT. notifyCredit then minted inflated hashrate from those manipulated inputs.

Immediately afterward, LBPHashrate made a cluster of mintReward(address,uint256) calls back into LBP. Those calls minted LBP to several recipients, including about 115,092.770 LBP to the pair, about 23,018.554 LBP directly to the attacker contract, and additional reward allocations to protocol and referral addresses. The attacker then transferred large amounts of newly emitted LBP back into the pair and sold out through the pair and then through a WBNB pair, while the trace also shows the final WBNB leaving the attack contract toward the attacker’s exit route.

Financial Impact

The exploit converted a reserve-accounting flaw into a realized protocol loss of about 377,642.57084995696 USDT. The transient borrow legs were 7,772,960.679833989887601242 USDT from Moolah and 34,088,143.961844099311594944 USDT from PancakeSwap Infinity Vault, both used only to manipulate settlement and unwind the trade. The durable extraction came from the inflated LBP reward path: about 207,166.985 LBP were emitted in the manipulated reward cycle, and the attacker exited with about 610.5557863309339 WBNB, which corresponds to the retained USDT profit path seen in the transfer ledger.

Evidence

  • Transaction: 0x55856d9fda4c5be5193561c7d775e823c3d6e499da44aab9da963daf61c50b0c on BNB, block 104727184, status success.
  • Attacker: 0xb26dfe6b6180a30e2a2d9826867cc7e06631825a.
  • Vulnerable contract: 0x5e3cbc82d020be91a989eb747934104e9ab585fe.
  • Impacted pool/token/protocol component: LBP/USDT pair 0x00e3ea08fd8cbad955ec5d2292ad637670c31524 and the Little Boy Plus reward-emission path.
  • Key on-chain fact: Moolah transferred 7,772,960.679833989887601242 USDT to the attacker contract and PancakeSwap Infinity Vault transferred 34,088,143.961844099311594944 USDT to the same contract before the manipulated settlement.
  • Key on-chain fact: LBP called notifyCredit on LBPHashrate, which then issued repeated mintReward calls including about 23,018.553942285253 LBP to the attacker contract and about 115,092.76971142628 LBP to the pair.

Remediation

The LP-backed reward path should not price liquidity additions from same-transaction spot reserves. notifyCredit should derive credit from a manipulation-resistant source, such as a TWAP-backed reserve view, a delayed checkpoint, or explicit accounting of the user’s deposited assets rather than the instantaneous pair state. The protocol should also reject settlement paths that observe abrupt reserve jumps inside the same transaction and separate liquidity-accounting state from reward-mint side effects so that a reserve distortion cannot cascade directly into token emissions. Finally, invariant tests should cover transient reserve inflation around LP settlement and assert that flash-liquidity cannot increase LP-backed reward credit beyond the true deposited value.