On June 20, 2026, PancakeSwap on the BNB Chain was once again thrust into the spotlight: According to security agencies like PeckShield, its OLPC/LABUBU liquidity pool suffered a hacker attack, with approximately $1.1 million in assets being siphoned out of the pool and quickly consolidated into addresses controlled by the attacker. More dramatically, the attacker did not linger on the BNB Chain, but rather followed the "standard script" of recent DeFi attacks, transferring most of the stolen funds cross-chain to the Ethereum network shortly after the incident occurred. PeckShield tracked that after the cross-chain transfer was completed, the attacker deposited 633.4 ETH into the Tornado Cash contract address on Ethereum, attempting to sever the on-chain links between the source and destination of the funds through this privacy mixing protocol. Tornado Cash had previously faced sanctions from U.S. regulators for being widely used for money laundering, and now reappearing along the attack path magnifies the tension between "security tracking" and "privacy protection." As a leading decentralized exchange on the BNB Chain, PancakeSwap has been discussed multiple times due to flash loan and contract risks, and now its liquidity pool has once again fallen, while the stolen funds flowed into a sanctioned privacy protocol, constituting a typical on-chain "cat-and-mouse game," which exposed the weaknesses in DeFi protocol security and the duality of privacy tools on the same funding path.
OLPC Pool Emptied: PancakeSwap Struck Again
This time, it was not the entire PancakeSwap protocol that went down, but rather a seemingly insignificant corner—the liquidity pool for the OLPC/LABUBU trading pair on the BNB Chain was precisely targeted. According to reports from PeckShield, approximately $1.1 million worth of assets were quickly "drained" from this pool, flowing into addresses controlled by the attacker, while other mainstream trading pairs and functionalities remained operational at that time. The user interface only displayed a pool with a price anomaly and a sudden drop in liquidity, yet it tore a significant hole on-chain.
From currently available information, the attacker seemingly manipulated the price mechanism or contract logic, performing a series of complex operations to significantly deplete the pool's liquidity, but the specific attack path and technical details have yet to be fully disclosed. Any qualitative judgment attributing it solely to a single contract vulnerability or simple price manipulation should be approached with caution. The issue is that this is not the first time PancakeSwap has been involved in security incidents related to flash loans or smart contract design. As the leading decentralized trading platform by volume and user numbers on the BNB Chain, every loss of a partial pool is magnified into doubts about the overall security of the protocol, leading to a growing accumulation of user uncertainty about whether it has "really patched old vulnerabilities" and "whether it can still handle substantial assets" amid the compounding of on-chain events.
Cross-Chain Escape from BNB Chain: Funds Flow to Ethereum
After the pool's assets were drained, the attacker did not linger long on the BNB Chain. Based on on-chain records disclosed by PeckShield and other sources, assets worth around $1.1 million were quickly consolidated into a few addresses controlled by the attacker, before being transferred to the Ethereum network via a cross-chain protocol. For the attacker, jumping from the initial chain to another mainstream public chain is both a physical "escape" from the PancakeSwap attack scene and a preparation for placing chips in a larger and more complex environment for further processing or mixing on Ethereum.
In the context of the frequent attacks on DeFi and cross-chain bridges over the past year or two, this operation is almost a textbook recreation: after completing the initial attack action, the priority is to migrate chips out of the original chain, using cross-chain "stepping stones" to evade focused surveillance by single-chain monitoring tools. However, regardless of how many chains were crossed, these migrations are still fully recorded in their respective blockchain ledgers. From the abnormal outflow of the PancakeSwap liquidity pool on the BNB Chain to the cross-chain arrival time and target addresses on the Ethereum network, everything was documented, providing necessary foundational data for security agencies to reconstruct the attack paths and lock in key addresses.
633 ETH Flowing into Tornado Cash Privacy Pool
Once the cross-chain funds landed on Ethereum, the attacker did not stay long. According to on-chain information disclosed by PeckShield and others, the address controlling the stolen assets quickly deposited 633.4 ETH directly into the Tornado Cash contract. For those familiar with this type of attack path, this step is almost a "textbook operation"—after aggregating funds and completing a cross-chain migration on a public chain, they are immediately pushed into a privacy pool designed specifically to obscure and reorganize the flow of funds, attempting to sever the complete financial chain previously outlined by trackers.
Tornado Cash itself is merely a decentralized mixing protocol deployed on Ethereum. It obscures the direct association of "which money comes from which address" by mixing deposits from multiple users and providing corresponding withdrawal rights after a period of time. This mechanism not only offers tools for ordinary users to protect their financial privacy on-chain, but has also been repeatedly abused as a money laundering outlet in various historical hacker events, ultimately leading to sanctions from U.S. regulators, who blacklisted some relevant contract addresses. However, once a contract is deployed on-chain, it is difficult to unilaterally take it offline. The influx of 633.4 ETH once again indicates that between privacy needs, technical neutrality, and compliance constraints, Tornado Cash is still viewed by attackers as a gray area that can be exploited, and this pull will not automatically dissipate in the short term.
Security Company Tracking: Dancing with Hackers on Transparent Chains
As funds surged toward this gray area, the defensive side was not absent. PeckShield quickly intervened when abnormalities surfaced in the PancakeSwap OLPC/LABUBU liquidity pool, matching historical fund scales and transaction frequencies to identify the key attack transactions that triggered the outflow of approximately $1.1 million in assets, and immediately issued a warning, indicating that the addressing interactions presented high risks. Almost simultaneously, security teams like PeckShield also targeted the same batch of suspicious transactions, marking the attacker's receipt address on the BNB Chain to lay anchor points for future cross-chain path tracking.
The attack did not stop at the BNB Chain. According to on-chain analysis disclosed by PeckShield, the security team tracked the suspicious addresses, recording the time and quantity of the stolen assets arriving cross-chain on Ethereum, ultimately confirming that 633.4 ETH flowed into the Tornado Cash contract on Ethereum. By linking the transfer records on both the BNB Chain and Ethereum, they publicly disclosed the complete funding path from the liquidity pool to the cross-chain bridge and then to the privacy protocol, shedding light on any subsequent interactions with these addresses under the spotlight. However, regardless of how transparent public chains are, there still lacks a direct binding between addresses and real-world identities. Unless hackers leave exploitable clues off-chain, this state of confrontation where "funds are visible, but real people are not" will continue to exist for quite a long time, and this is precisely a reality that both attackers and defenders cannot evade.
Shadow Over BNB Ecosystem: The PancakeSwap Security Question
On the BNB Chain, PancakeSwap is not just an ordinary DEX; it is almost synonymous with the face of DeFi on this chain: transaction volume and user activity are among the top, with many ordinary users first encountering on-chain finance through it. Because of this central position, when the OLPC/LABUBU liquidity pool was hacked for about $1.1 million on June 20, 2026, the impact extended beyond just the LP of a single pool, leading to a reevaluation of the overall security picture of the entire BNB ecosystem. The BNB ecosystem has already experienced multiple DeFi security incidents in the past, and now it is the leading protocol that has "fallen." During the on-chain funds transferred and mixed progressively, the market is more likely to form an intuitive impression: even the largest protocols struggle to completely fend off targeted attacks.
For PancakeSwap itself, this is not the first time it has been embroiled in security storms. Historical attacks surrounding flash loans and smart contract vulnerabilities have already placed it under the magnifying glass, while leading protocols must balance expanding business lines, increasing trading pairs and strategy plays, and maintaining a high-pressure stability in code and risk control, with each iteration extending the potential attack surface. As of now, there has not been sufficient detailed disclosure regarding the specific technical causes of this OLPC/LABUBU pool attack, as well as subsequent fund recovery and user compensation arrangements, making it difficult for the outside world to determine whether the issues stem from a single contract logic, business design, or some underlying security process. This information gap itself hangs a safety question mark over the BNB ecosystem that has yet to be removed.
Where Will the Tug-of-War Between DeFi Security and Privacy Lead?
From the draining of the OLPC/LABUBU pool on the BNB Chain to the cross-chain migration of stolen assets to Ethereum, and ultimately the 633.4 ETH landing in Tornado Cash, this approximately $1.1 million attack was laid bare on the public chain, yet still left vast gaps regarding identity, asset recovery, and accountability. This encapsulates the sharpest contradiction in open finance today: the extremely high composability and iteration speed have allowed leading DEXs like PancakeSwap to expand rapidly, repeatedly contributing attack samples in the tens of millions and even hundreds of millions of dollars over the past few years, while the lagging security systems have been amplified time and again. Privacy protocols like Tornado Cash are technically challenging to simply shut down; they cater to legitimate anonymous needs on one end while being exploited by hackers to sever funding paths on the other. This tug-of-war between "tool neutrality" and regulatory sanctions is bound to be brought back to the forefront after this incident. What will be worth following up on is whether PancakeSwap provides a sufficient technical review and repair path, whether privacy protocols undergo a new round of compliance battles, and whether ordinary users can genuinely establish a fundamental understanding of contract risks, permissions settings, and asset diversification before participating in DeFi; otherwise, similar on-chain scripts will likely replay in the next high-yield pool.
Join our community, let’s discuss and become stronger together!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
