PancakeSwap V2 OCA/USDC pool on BSC drained of $422K

The post PancakeSwap V2 OCA/USDC pool on BSC drained of $422K appeared on BitcoinEthereumNews.com.

The PancakeSwap V2 pool for OCAUSDC on BSC was exploited in a suspicious transaction detected today. The attack resulted in the loss of almost $500,000 worth of USDC market, drained in a single transaction. According to reports from Blockchain security platforms, the attacker exploited a vulnerability in the deflationary sellOCA() logic, giving them access to manipulate the pool’s reserves. The final amount the attacker got away with was reportedly approximately $422,000. The exploit involved the use of flash loans and flash swaps combined with repeated calls to OCA’s swapHelper function. This removed OCA tokens directly from the liquidity pool during swaps, artificially inflating the on-pair price of OCA and enabling the drainage of USDC How did the OCA/USDC exploit happen? The attack was reportedly executed via three transactions. The first to carry out the exploit, and the following two to serve as additional builder bribes. “In total, 43 BNB plus 69 BNB were paid to 48club-puissant-builder, leaving an estimated final profit of $340K,” Blocksec Phalcon wrote on X about the incident, adding that another transaction in the same block also failed at position 52, likely because it was frontrun by the attacker. Flash loans on PancakeSwap allow users to borrow significant amounts of crypto assets without collateral; however, the borrowed amount plus fees must be repaid within the same transaction block. They are primarily used in arbitrage and liquidation strategies on the Binance Smart Chain, and the loans are usually facilitated by PancakeSwap V3’s flash swap function. Another flash loan attack was detected weeks ago In December 2025, an exploit allowed an attacker to withdraw approximately 138.6 WBNB from the PancakeSwap liquidity pool for the DMi/WBNB pair, netting approximately $120,000. That attack demonstrated how a combination of flash loans and manipulation of the AMM pair’s internal reserves via sync() and…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ February 14, 2026 11:13 pm