An attacker drained roughly 377,642 USDT from LittleBoyPlus, a BNB Chain protocol, using a zero-value transfer trick that bypassed standard token protections. The loss came out to about 610.555 BNB.
Blockchain security firm SlowMist flagged the incident through its threat intelligence system. Within an hour, on-chain investigator ZachXBT questioned the entire project’s legitimacy.
“Uh who names a protocol LittleBoyPlus? Entire team should be investigated.”
That was ZachXBT’s response on X, posted under SlowMist’s original alert. The comment pulled immediate attention from the wider crypto security community, with user xssgoat replying on X that the situation was “suspicious asf.”
A Zero-Value Transfer Nobody Saw Coming
The attack targeted a flaw buried in the LBPHashrate contract. As SlowMist’s threat intelligence team detailed on X, the _update() function inside the LBPHashrate contract at address 0x5e3c...85fe could be triggered by zero-value transferFrom calls. That detail matters. OpenZeppelin’s allowance check, the standard safeguard used across thousands of tokens, does not block a transfer when the value is zero. The attacker did not need the PancakePair’s authorization at all.
By calling LBPHashrate.transferFrom(pair, DEAD, 0), the attacker triggered _harvest(pair). That function minted fresh LBP tokens directly to the PancakePair address through LBP.mintReward(pair, reward).
Here is where the math broke down.
The newly minted LBP tokens increased the pair’s token balance without updating its internal reserves. PancakeSwap’s automated market maker only tracks reserves through the sync() function. Because the reserves stayed unchanged while the actual balance jumped, a gap opened between the two numbers. The attacker then called PancakePair.swap() to drain USDT from that imbalance.
Why the Name Raised Red Flags
ZachXBT’s reaction went beyond the technical breach. His comment pointed at the protocol’s name itself as a concern worth investigating. In crypto security circles, project naming choices sometimes signal how seriously a team approaches its own product. A protocol handling real user funds on PancakeSwap that carries a name like LittleBoyPlus drew sharp scrutiny.
The attacker’s wallet address, 0x5449ded887576f43fc339851e942ebc1e6f8118b, and the victim PancakePair contract at 0x00e3ea08fd8cbad955ec5d2292ad637670c31524 are both publicly visible on-chain. SlowMist tagged the vulnerable LBPHashrate contract specifically at 0x5e3cbc82d020be91a989eb747934104e9ab585fe.
Anyone providing liquidity to LBP pairs on PancakeSwap should check exposure to these contracts. The exploit did not target PancakeSwap’s own router or core infrastructure. It hit the token-level logic, a pattern that keeps repeating across BNB Chain in 2026.
Team Silence Deepens Suspicion
The LittleBoyPlus team has not responded publicly. No acknowledgment on X, no post-mortem, no plan for affected users. As of the time of writing, the project’s social channels remain quiet.
That silence is not unusual for smaller BNB Chain tokens after an exploit. Earlier this month, CertiK flagged the ATM token exploit on BSC where a similar custom transfer function flaw drained roughly $243,500. That project’s team also went dark initially. And just weeks ago, SlowMist reported the DTXT/USDT pair attack on BNB Chain, where the attacker bypassed sell fees by manipulating how the contract detected liquidity additions. Loss there sat at about 35,000 USDT.
BNB Chain has been the most targeted network by exploit count for several years running. Independent security tallies have consistently placed it at the top for incident frequency, with token-level flaws rather than chain-level vulnerabilities driving most of the damage.
What a Zero-Value Transfer Actually Bypasses
For DeFi users staking or providing liquidity in smaller BNB Chain pools, this exploit carries a specific warning. The OpenZeppelin transferFrom implementation checks whether the caller has been approved for the amount being transferred. When that amount is zero, the check passes automatically. Most contracts treat a zero-value transfer as harmless. But when a separate function like _update() or _harvest() gets triggered as a side effect of that transfer call, the zero-value path becomes an attack vector.
The attacker did not need to steal private keys. Did not need a flash loan. Did not exploit PancakeSwap itself. The entire attack ran through the protocol’s own reward minting logic, turned against its own liquidity pair.
Developers building custom reward or harvest functions tied to transfer hooks should audit whether zero-value calls can trigger state changes. SlowMist’s breakdown of this exploit makes that lesson difficult to ignore.
The funds remain in the attacker’s wallet with no indication of recovery efforts. No freeze request has been made public. And ZachXBT’s call for a team investigation still has had no answer from the LittleBoyPlus developers.
