Little Boy Plus Exploit:$367K Drained via Reserve Manipulation

• Incident Date: June 17, 2026
• Target: Little Boy Plus
• Target Overview: Little Boy Plus is represented in the reviewed sources by the LBP token and its LBP/USDT liquidity on BNB Chain. The incident centered on LBPHashrate reward accounting tied to PancakeSwap-style LP reserves, not a reported private-key, front-end, or governance compromise.
• Total Loss: Approximately $367,000 reported loss
• Reported Exploit TX: 0x55856d9fda4c5be5193561c7d775e823c3d6e499da44aab9da963daf61c50b0c
• Reported Attacker Address: 0xb26d...825a
• Reported Victim Contract: 0x5e3c...5fe
• Attack Vector: Oracle manipulation / reserve manipulation in LP-share reward accounting

---

Incident Review & Technical Details

1. Attack Path

1. The attacker prepared flash-loaned liquidity: According to Defimon Alerts, the attacker flash-loaned 7.77 million USDT from Moolah and took 34 million USDT from PancakeSwap Infinity Vault through a lock/take flow. The on-chain receipt for the reported exploit transaction succeeded on BNB Chain at block 104,727,184.
2. USDT was pushed directly into the LBP/USDT pair: The attacker transferred 5.79 million USDT into the LBP/USDT PancakePair before calling pair.mint. That sequence inflated the post-mint reserve value observed by downstream LBPHashrate reward logic.
3. LBPHashrate trusted the manipulated reserve state: Defimon attributed the vulnerable accounting to LBPHashrate.notifyCredit, where currentRUsdt was fed into the hashrate emission calculation. The reported formula, hashAmount = 2 * lpDelta * currentRUsdt / currentTotalLp, treated the manipulated reserve value as a valid input.
4. hLBP and LBP rewards were over-minted: The inflated accounting reportedly minted about 10.7 million hLBP and repeatedly triggered lbp.mintReward, emitting about 141,000 LBP.
5. The minted rewards were dumped back into the pool: The attacker sold the emitted LBP back into the pair for USDT. ClaraHacks summarized the drain as 377,642,538,174,099,549,802,864 raw USDT, reported as approximately $367,000.
6. Proceeds were converted after loan repayment: Defimon reported that after repaying the borrowed liquidity, the attacker converted the remaining proceeds into about 610 BNB.

2. Impact Scope

• Protocol-Level Loss: Public reporting converged on approximately $367,000 drained from the LBP/USDT liquidity path.
• Affected Component: The affected path was the interaction between LP reserve state, pair.mint, LBPHashrate.notifyCredit, hLBP issuance, and repeated LBP reward minting.
• Affected Network: The exploit occurred on BNB Chain in a single reported transaction.
• Economic Root Cause: The reward system treated a manipulated pool reserve as if it were an honest LP-user accounting input. That let temporary flash-loaned liquidity distort emissions without representing durable protocol value.
• Disclosure Gap: No official Little Boy Plus postmortem, patch statement, paused-contract notice, compensation plan, or recovery update was identified in the reviewed sources at the time of writing.

3. Official Statements

• Little Boy Plus: No official Little Boy Plus statement was identified in the reviewed sources at the time of writing.
• Defimon Alerts: Defimon attributed the exploit to oracle/reserve manipulation in LP-share hashrate emission accounting and published the exploit transaction, attacker address, victim contract, and core formula.
• ClaraHacks: ClaraHacks independently summarized the same incident as a single BNB Chain exploit transaction against Little Boy Plus, with about $367,000 drained because reward accounting treated the manipulated pool state like a normal LP user.

4. Investigation Progress

The reported exploit has enough public trace data to reconstruct the failure mode, but the response status remains unclear. The priority is to confirm whether the affected reward path has been paused or patched, whether other LBP-related pools share the same reserve-based accounting assumptions, and whether the attacker-controlled BNB has moved to a bridge, mixer, or exchange deposit address.

Recommended response steps for Little Boy Plus-style reward systems:

• Publish the affected contracts, vulnerable function path, exploit transaction, and any patched reward-accounting code.
• Reconstruct the exploit on a fork and convert the manipulated-reserve scenario into regression tests.
• Replace spot reserve reads in reward formulas with manipulation-resistant accounting, bounded deltas, or time-weighted validation.
• Add checks that distinguish durable LP ownership from temporary liquidity injected immediately before pair.mint.
• Monitor abnormal hLBP issuance, repeated mintReward calls, sudden reserve expansion, and large same-transaction reward dumps into USDT.
• Trace the reported 610 BNB destination and coordinate freeze requests if funds touch centralized services.

---

AUTOSEC.DEV Solution

The Little Boy Plus exploit shows how DeFi reward systems can fail when reserve-dependent formulas treat transient flash-loaned liquidity as honest economic state.

1. Secure Code Review - The reported LBPHashrate.notifyCredit path depended on currentRUsdt after the attacker manipulated the LBP/USDT reserve. AUTOSEC.DEV reviews smart-contract accounting formulas, reserve reads, LP-share issuance, reward emission math, and mint/burn boundaries to catch manipulation-sensitive assumptions before mainnet deployment.
2. Security Strategy & Planning - Little Boy Plus did not just need a local formula fix; it needed an emissions design that assumes adversarial liquidity can appear and disappear inside one transaction. We help Web3 teams define economic invariants, oracle and reserve trust boundaries, circuit breakers, and monitoring thresholds for liquidity-dependent reward systems.
3. Penetration Testing - The exploit combined flash-loaned USDT, direct pair transfers, pair.mint, hLBP over-issuance, and reward dumping. AUTOSEC.DEV reproduces attacker workflows on forks, including reserve stuffing, LP share inflation, reward reentry loops, and post-mint swap routes, so teams can validate controls under realistic transaction pressure.

Service Links

• AUTOSEC.DEV - Secure Code Review
• AUTOSEC.DEV - Security Strategy & Planning
• AUTOSEC.DEV - Penetration Testing

---

Reference

• https://x.com/DefimonAlerts/status/2067329401977532429