Key Takeaways
Slowmist stated a lacking return assertion in DIP token’s code drained about $111,098 in USDC.The flaw doubled transfers through Pancakeswap, including to 2,150-plus incidents logged by Slowmist this 12 months.DeFi has misplaced over $1 billion to exploits in 2026, preserving audit demand excessive heading into H2.
A Switch That Ran Twice
Slowmist flagged the incident in a risk intelligence alert, pinning the loss at 111,097.6 USDC. The agency stated the DIP token’s “_transfer()” perform was lacking a “return” assertion within the department that handles trades routed by means of the Pancakeswap router (an providing that decentralized exchanges use to swap tokens towards liquidity swimming pools). The staff additional added:
“The attacker exploited this by calling `skim(router)` to set off double DIP transfers, then `sync()` to set the DIP reserve to an especially low worth, manipulating the AMM worth to empty the pool.”
Regardless of an in depth breakdown, Slowmist didn’t title the attacker or say whether or not the stolen funds may very well be recovered anytime quickly.
The mechanics of all the operation appear to be fairly mundane, given decentralized exchanges resembling Pancakeswap depend on automated router contracts to maneuver tokens between merchants and liquidity swimming pools. A token is free so as to add customized logic to its personal switch perform, however when that logic mishandles router interactions, the door opens to repeated, unintended payouts.
Within the DIP case, the lacking “return” meant code that ought to have stopped after one switch as an alternative fell by means of and executed a second time. Every commerce that touched the router successfully paid out twice, quietly bleeding USDC from the pool.
The bug wanted no flash mortgage, oracle trick, or stolen key to work (solely a niche within the token’s personal code). Such router-aware and fee-on-transfer tokens are widespread on Binance-linked chains, the place tasks usually bolt further habits onto normal token templates. Every added department is one other place for a mistake to cover, and automatic swaps can set off that mistake hundreds of occasions earlier than anybody notices.
A part of a Pricey 2026 for DeFi
The DIP loss is small subsequent to the 12 months’s headline breaches, however it matches a gentle drumbeat of code-level failures. Slowmist’s public hack database alone has logged greater than 2,150 incidents and about $37.8 billion in cumulative losses. In latest days, the tracker recorded a $105,000 loss at Thetanuts Finance and a $2.1 million Aztec Join exploit.
Much more particularly, one can see that sensible contract bugs have pushed a lot of the 12 months’s injury, with DeFi protocols having misplaced greater than $1 billion to hacks and exploits (as of final month). Slowmist itself traced the Aztec Join drain to a deprecated contract and pinned a $174,570 Grok-Bankr theft on a synthetic intelligence (AI) agent that was tricked into approving a switch.
Lastly, Bitcoin.com Information reported earlier within the 12 months that Zetachain paused its mainnet after Slowmist recognized a lacking entry management in its GatewayZEVM contract, one other case of a single logic hole handing attackers a gap.
With no restoration confirmed and the attacker nonetheless unidentified, the DIP episode bolsters a recurring lesson the place a single lacking line will be sufficient to empty a pool, and impartial audits stay the principle line of protection as DeFi losses climb.
