Slow Fog: Little Boy Plus was attacked, resulting in a loss of approximately $378,000

According to Slow Fog monitoring, Little Boy Plus was attacked, resulting in a loss of approximately 377,642 USDT (about 610.555 BNB). The vulnerability was due to the _update function of the LBPHashrate contract being triggered by a zero-value transferFrom call, bypassing OpenZeppelin's authorization checks. The attacker could call this function without authorization, triggering _harvest and minting LBP tokens to the PancakePair address through LBP.mintReward. The minted LBP increased the pool balance but did not change the reserves, and the attacker subsequently drained USDT through PancakePair.swap.