Missing return let attacker drain $111,098 from DIP token

Slowmist reported a coding flaw in the DIP token allowed an attacker to withdraw about 111,097.6 USDC from a Pancakeswap liquidity pool.

The firm identified the error in the token’s _transfer() function, where a missing return statement in the branch for trades routed through the Pancakeswap router allowed transfer logic to run twice. That double execution meant swaps touching the router paid out DIP tokens two times.

“The attacker exploited this by calling `skim(router)` to trigger double DIP transfers, then `sync()` to set the DIP reserve to an extremely low value, manipulating the AMM price to drain the pool,” Slowmist wrote.

According to Slowmist, the attacker used skim(router) to force the duplicated transfers and then called sync() to push the DIP reserve to a very low level, enabling withdrawals of USDC from the pool at an artificially favorable rate. The firm noted the exploit did not require a flash loan, oracle manipulation or key theft.

Slowmist reported the loss at 111,097.6 USDC, did not identify the attacker and did not report any recovery of funds.

Tokens that add custom logic to their transfer functions are common on Binance-linked chains. When that logic does not correctly handle router interactions, automated swaps can repeatedly trigger unintended code paths; in this incident the missing return allowed a second transfer that should not have occurred.

Slowmist’s public hack database lists more than 2,150 incidents and roughly $37.8 billion in cumulative reported losses. The firm also recorded a roughly $105,000 loss at Thetanuts Finance, a $2.1 million exploit at Aztec Connect, a $174,570 theft involving a Grok-Bankr contract, and a pause of Zetachain’s mainnet after a missing access control was found.

Slowmist published the technical findings in a threat intelligence alert.