No, there is no such exploit, nor is it possible through PunBB's code as far as I can tell (especially with the protection Rickard added in 1.2.9)
A couple possibilities:
The guy figured out your password and is logging in as you to unban himself
The guy can access your DB
Your PunBB isn't fully updated. He's using an exploit that you didn't fully patch to gain access.
Now, three things that might help you:
1. Upgrade to 1.2.10
The removal of reliance on X_FORWARDED_FOR means it becomes harder for him to fake his IP
2. Change yout password to something complicated and hard to figure out
3. If you have access to the access_log, paste us the relevant parts and we can try and figure out if it was actually an exploit