Slowmist reported a code vulnerability in the DIP token that drained 111,097.6 USDC through a missing return statement in the token's transfer function. The flaw allowed double transfers when trades were routed through the Pancakeswap router, enabling an attacker to manipulate the automated market maker price and drain the liquidity pool. The incident adds to more than 2,150 exploits logged by Slowmist in 2026, a year in which DeFi protocols have lost over $1 billion to hacks and code-level failures.
Missing Return Statement Enabled Double DIP Token Transfers
Slowmist flagged the incident in a threat intelligence alert, pinning the loss at 111,097.6 USDC. The firm said the DIP token's "_transfer()" function was missing a "return" statement in the branch that handles trades routed through the Pancakeswap router. Slowmist stated: "The attacker exploited this by calling skim(router) to trigger double DIP transfers, then sync() to set the DIP reserve to an extremely low value, manipulating the AMM price to drain the pool."
Slowmist did not name the attacker or say whether the stolen funds could be recovered.
Decentralized exchanges such as Pancakeswap rely on automated router contracts to move tokens between traders and liquidity pools. In the DIP case, the missing "return" meant code that should have stopped after one transfer instead executed a second time. Each trade that touched the router paid out twice, bleeding USDC from the pool.
The bug required no flash loan, oracle manipulation, or stolen key. Router-aware and fee-on-transfer tokens are common on Binance-linked chains, where projects add extra behavior onto standard token templates.
Slowmist Logs DIP Exploit Among 2,150-Plus 2026 Incidents
Slowmist's public hack database has logged more than 2,150 incidents and approximately $37.8 billion in cumulative losses. The tracker recorded a $105,000 loss at Thetanuts Finance and a $2.1 million Aztec Connect exploit in recent days.
Smart contract bugs have driven much of the year's damage, with DeFi protocols having lost more than $1 billion to hacks and exploits as of last month. Slowmist traced the Aztec Connect drain to a deprecated contract and pinned a $174,570 Grok-Bankr theft on an AI agent that was tricked into approving a transfer.
Bitcoin.com News reported earlier in the year that Zetachain paused its mainnet after Slowmist identified missing access control in its GatewayZEVM contract.
FAQ
What caused the DIP token to lose $111,000 in USDC?
Slowmist reported that a missing return statement in the DIP token's "_transfer()" function allowed double transfers when trades were routed through the Pancakeswap router, draining 111,097.6 USDC from the liquidity pool.
How many DeFi exploits has Slowmist logged in 2026?
Slowmist's public hack database has logged more than 2,150 incidents in 2026, with cumulative losses totaling approximately $37.8 billion across all recorded exploits.
