SlowMist: Little Boy Plus attacked, losing approximately $378,000

CoinFeed June 18 news, according to SlowMist monitoring, Little Boy Plus was attacked, losing approximately 377,642 USDT (about 610.555 BNB). The vulnerability lies in the _update function of the LBPHashrate contract, which can be triggered via a zero-value transferFrom call, bypassing OpenZeppelin's authorization check. Attackers can call this function without authorization, triggering _harvest and minting LBP tokens to the PancakePair address through LBP.mintReward. The minted LBP increases the pair balance but does not alter reserves, and the attacker subsequently drains USDT through PancakePair.swap.