PancakeSwap V2 OCA/USDC Pool on BSC Drained of $422K in Flash Loan Exploit
Another day, another decentralized finance pool gets a surprise liquidity extraction. The PancakeSwap V2 OCA/USDC pool on the BNB Smart Chain just got hit for a cool $422,000.
The Mechanics of the Drain
Attackers deployed a classic flash loan strategy, borrowing massive amounts of capital to manipulate the pool's price oracle. In a series of rapid-fire transactions, they skewed the price of one asset, swapped at the artificial rate, and repaid the initial loan—all within a single block. The profit? Pure, extracted value from the pool's liquidity providers. It's arbitrage, just with more steps and fewer ethics.
The Aftermath and the Irony
The pool's reserves took the direct hit, but the broader PancakeSwap ecosystem chugs along—a testament to the segmented nature of DeFi risk. The exploit highlights the persistent vulnerability of certain automated market maker (AMM) designs to oracle manipulation, a known issue that projects either fix, or become expensive case studies for. It's the financial innovation cycle: build fast, break things, and let LPs foot the bill for the 'breaking' part.
While $422K is a rounding error for TradFi's daily operational losses, it stings in the communal world of DeFi. Each exploit like this serves as a stark, pricey reminder: in the race for permissionless yields, the smart contract's logic is the only law, and attackers are its most diligent students. The only thing growing faster than Total Value Locked might just be the total value occasionally, and predictably, unlocked by others.
How did the OCA/USDC exploit happen?
The attack was reportedly executed via three transactions. The first to carry out the exploit, and the following two to serve as additional builder bribes.
“In total, 43 BNB plus 69 BNB were paid to 48club-puissant-builder, leaving an estimated final profit of $340K,” Blocksec Phalcon wrote on X about the incident, adding that another transaction in the same block also failed at position 52, likely because it was frontrun by the attacker.
Flash loans on PancakeSwap allow users to borrow significant amounts of crypto assets without collateral; however, the borrowed amount plus fees must be repaid within the same transaction block.
They are primarily used in arbitrage and liquidation strategies on the Binance Smart Chain, and the loans are usually facilitated by PancakeSwap V3’s flash swap function.
Another flash loan attack was detected weeks ago
In December 2025, an exploit allowed an attacker to withdraw approximately 138.6 WBNB from the PancakeSwap liquidity pool for the DMi/WBNB pair, netting approximately $120,000.
That attack demonstrated how a combination of flash loans and manipulation of the AMM pair’s internal reserves via sync() and callback functions is capable of being used to completely deplete the pool.
The attacker first created the exploit contract and called the f0ded652() function, a specialized entry point into the contract, after which the contract then calls flashLoan from the Moolah protocol, requesting approximately 102,693 WBNB.
Upon receiving the flash loan, the contract initiates the onMoolahFlashLoan(…) callback. The first thing the callback does is find out the DMi token balance in the PancakeSwap pool in order to prepare for the pair’s reserve manipulation.
It should be noted that the vulnerability is not in the flash loan, but in the PancakeSwap contract, allowing manipulation of reserves via a combination of flash swap and sync() without protection against malicious callbacks.
Get 8% CASHBACK when you spend crypto with COCA Visa card. Order your FREE card.
