SlowMist (@SlowMist_Team) “🚨SlowMist TI Alert🚨 💸 @LittleBoyPlus has been exploited. Loss: ~377,642 USDT” — TopicDigg

🚨SlowMist TI Alert🚨 💸 @LittleBoyPlus has been exploited. Loss: ~377,642 USDT (~610.555 BNB) 🔍 Root Cause: The `LBPHashrate._update()` function (in `0x5e3c...85fe`) is triggered by zero-value `transferFrom` calls, which bypasses OpenZeppelin's allowance check. This allows an attacker to call `LBPHashrate.transferFrom(pair, DEAD, 0)` without pair authorization, triggering `_harvest(pair)` which mints LBP tokens directly to the PancakePair address via `LBP.mintReward(pair, reward)`. The minted LBP increases the pair's balance but not its reserve, enabling the attacker to drain USDT via `PancakePair.swap()`. 📌 Attacker: `0x5449ded887576f43fc339851e942ebc1e6f8118b` 📌 Victim Pair: `0x00e3ea08fd8cbad955ec5d2292ad637670c31524` 📌 Vulnerable Contract (LBPHashrate): `0x5e3cbc82d020be91a989eb747934104e9ab585fe` Impact: Zero-value `transferFrom` on LBPHashrate allows unapproved harvest & mint to PancakePair, leading to reserve imbalance and immediate USDT drain. Powered by #SlowMist#.AI