Key Takeaways
Slowmist mentioned a lacking return assertion in DIP token’s code drained about $111,098 in USDC.The flaw doubled transfers through Pancakeswap, including to 2,150-plus incidents logged by Slowmist this 12 months.DeFi has misplaced over $1 billion to exploits in 2026, retaining audit demand excessive heading into H2.
A Switch That Ran Twice
Slowmist flagged the incident in a menace intelligence alert, pinning the loss at 111,097.6 USDC. The agency mentioned the DIP token’s “_transfer()” operate was lacking a “return” assertion within the department that handles trades routed via the Pancakeswap router (an providing that decentralized exchanges use to swap tokens towards liquidity swimming pools). The workforce additional added:
“The attacker exploited this by calling `skim(router)` to set off double DIP transfers, then `sync()` to set the DIP reserve to an especially low worth, manipulating the AMM value to empty the pool.”
Regardless of an in depth breakdown, Slowmist didn’t identify the attacker or say whether or not the stolen funds could possibly be recovered anytime quickly.
The mechanics of all the operation appear to be fairly mundane, given decentralized exchanges resembling Pancakeswap depend on automated router contracts to maneuver tokens between merchants and liquidity swimming pools. A token is free so as to add customized logic to its personal switch operate, however when that logic mishandles router interactions, the door opens to repeated, unintended payouts.
Within the DIP case, the lacking “return” meant code that ought to have stopped after one switch as a substitute fell via and executed a second time. Every commerce that touched the router successfully paid out twice, quietly bleeding USDC from the pool.
The bug wanted no flash mortgage, oracle trick, or stolen key to work (solely a spot within the token’s personal code). Such router-aware and fee-on-transfer tokens are widespread on Binance-linked chains, the place tasks usually bolt additional conduct onto normal token templates. Every added department is one other place for a mistake to cover, and automatic swaps can set off that mistake hundreds of instances earlier than anybody notices.
A part of a Expensive 2026 for DeFi
The DIP loss is small subsequent to the 12 months’s headline breaches, nevertheless it matches a gentle drumbeat of code-level failures. Slowmist’s public hack database alone has logged greater than 2,150 incidents and about $37.8 billion in cumulative losses. In current days, the tracker recorded a $105,000 loss at Thetanuts Finance and a $2.1 million Aztec Join exploit.
Much more particularly, one can see that sensible contract bugs have pushed a lot of the 12 months’s injury, with DeFi protocols having misplaced greater than $1 billion to hacks and exploits (as of final month). Slowmist itself traced the Aztec Join drain to a deprecated contract and pinned a $174,570 Grok-Bankr theft on a man-made intelligence (AI) agent that was tricked into approving a switch.
Lastly, Bitcoin.com Information reported earlier within the 12 months that Zetachain paused its mainnet after Slowmist recognized a lacking entry management in its GatewayZEVM contract, one other case of a single logic hole handing attackers a gap.
With no restoration confirmed and the attacker nonetheless unidentified, the DIP episode bolsters a recurring lesson the place a single lacking line may be sufficient to empty a pool, and unbiased audits stay the principle line of protection as DeFi losses climb.