Key Takeaways
Slowmist mentioned a lacking return assertion in DIP token’s code drained about $111,098 in USDC.The flaw doubled transfers by way of Pancakeswap, including to 2,150-plus incidents logged by Slowmist this yr.DeFi has misplaced over $1 billion to exploits in 2026, protecting audit demand excessive heading into H2.
A Switch That Ran Twice
Slowmist flagged the incident in a menace intelligence alert, pinning the loss at 111,097.6 USDC. The agency mentioned the DIP token’s “_transfer()” operate was lacking a “return” assertion within the department that handles trades routed by means of the Pancakeswap router (an providing that decentralized exchanges use to swap tokens towards liquidity swimming pools). The workforce additional added:
“The attacker exploited this by calling `skim(router)` to set off double DIP transfers, then `sync()` to set the DIP reserve to an especially low worth, manipulating the AMM worth to empty the pool.”
Regardless of an in depth breakdown, Slowmist didn’t identify the attacker or say whether or not the stolen funds may very well be recovered anytime quickly.
The mechanics of your entire operation appear to be fairly mundane, given decentralized exchanges equivalent to Pancakeswap depend on automated router contracts to maneuver tokens between merchants and liquidity swimming pools. A token is free so as to add customized logic to its personal switch operate, however when that logic mishandles router interactions, the door opens to repeated, unintended payouts.
Within the DIP case, the lacking “return” meant code that ought to have stopped after one switch as a substitute fell by means of and executed a second time. Every commerce that touched the router successfully paid out twice, quietly bleeding USDC from the pool.
The bug wanted no flash mortgage, oracle trick, or stolen key to work (solely a niche within the token’s personal code). Such router-aware and fee-on-transfer tokens are frequent on Binance-linked chains, the place tasks typically bolt further conduct onto customary token templates. Every added department is one other place for a mistake to cover, and automatic swaps can set off that mistake 1000’s of instances earlier than anybody notices.
A part of a Pricey 2026 for DeFi
The DIP loss is small subsequent to the yr’s headline breaches, but it surely suits a gentle drumbeat of code-level failures. Slowmist’s public hack database alone has logged greater than 2,150 incidents and about $37.8 billion in cumulative losses. In current days, the tracker recorded a $105,000 loss at Thetanuts Finance and a $2.1 million Aztec Join exploit.
Much more particularly, one can see that sensible contract bugs have pushed a lot of the yr’s injury, with DeFi protocols having misplaced greater than $1 billion to hacks and exploits (as of final month). Slowmist itself traced the Aztec Join drain to a deprecated contract and pinned a $174,570 Grok-Bankr theft on a man-made intelligence (AI) agent that was tricked into approving a switch.
Lastly, Bitcoin.com Information reported earlier within the yr that Zetachain paused its mainnet after Slowmist recognized a lacking entry management in its GatewayZEVM contract, one other case of a single logic hole handing attackers a gap.
With no restoration confirmed and the attacker nonetheless unidentified, the DIP episode bolsters a recurring lesson the place a single lacking line will be sufficient to empty a pool, and unbiased audits stay the principle line of protection as DeFi losses climb.
