Key Takeaways
- Slowmist said a missing return statement in DIP token’s code drained about $111,098 in USDC.
- The flaw doubled transfers via Pancakeswap, adding to 2,150-plus incidents logged by Slowmist this year.
- DeFi has lost over $1 billion to exploits in 2026, keeping audit demand high heading into H2.
A Transfer That Ran Twice
Slowmist flagged the incident in a threat intelligence alert, pinning the loss at 111,097.6 USDC. The firm said the DIP token’s “_transfer()” function was missing a “return” statement in the branch that handles trades routed through the Pancakeswap router (an offering that decentralized exchanges use to swap tokens against liquidity pools). The team further added:
“The attacker exploited this by calling `skim(router)` to trigger double DIP transfers, then `sync()` to set the DIP reserve to an extremely low value, manipulating the AMM price to drain the pool.”
Despite a detailed breakdown, Slowmist did not name the attacker or say whether the stolen funds could be recovered anytime soon.
The mechanics of the entire operation seem to be quite mundane, given decentralized exchanges such as Pancakeswap rely on automated router contracts to move tokens between traders and liquidity pools. A token is free to add custom logic to its own transfer function, but when that logic mishandles router interactions, the door opens to repeated, unintended payouts.
In the DIP case, the missing “return” meant code that should have stopped after one transfer instead fell through and executed a second time. Each trade that touched the router effectively paid out twice, quietly bleeding USDC from the pool.
The bug needed no flash loan, oracle trick, or stolen key to work (only a gap in the token’s own code). Such router-aware and fee-on-transfer tokens are common on Binance-linked chains, where projects often bolt extra behavior onto standard token templates. Each added branch is another place for a mistake to hide, and automated swaps can trigger that mistake thousands of times before anyone notices.
Part of a Costly 2026 for DeFi
The DIP loss is small next to the year’s headline breaches, but it fits a steady drumbeat of code-level failures. Slowmist’s public hack database alone has logged more than 2,150 incidents and about $37.8 billion in cumulative losses. In recent days, the tracker recorded a $105,000 loss at Thetanuts Finance and a $2.1 million Aztec Connect exploit.
Even more specifically, one can see that smart contract bugs have driven much of the year’s damage, with DeFi protocols having lost more than $1 billion to hacks and exploits (as of last month). Slowmist itself traced the Aztec Connect drain to a deprecated contract and pinned a $174,570 Grok-Bankr theft on an artificial intelligence (AI) agent that was tricked into approving a transfer.
Lastly, Bitcoin.com News reported earlier in the year that Zetachain paused its mainnet after Slowmist identified a missing access control in its GatewayZEVM contract, another case of a single logic gap handing attackers an opening.
With no recovery confirmed and the attacker still unidentified, the DIP episode bolsters a recurring lesson where a single missing line can be enough to empty a pool, and independent audits remain the main line of defense as DeFi losses climb.
