DIP token suffered a $111,097.6 USDC loss after a coding flaw allowed a double‑transfer exploit, as reported by security firm Slowmist.
Root Cause in the Smart Contract
Slowmist’s analysis revealed that the token’s _transfer() routine omitted a return statement in the branch that processes trades routed through PancakeSwap’s router. Because the function continued execution after the first transfer, each eligible trade triggered a second, unintended payout. The missing return turned a routine token swap into a systematic drain of USDC from the liquidity pool.
Attack Vector and Execution
The attacker invoked skim(router) to initiate the duplicate transfers, then called sync() to artificially depress the DIP reserve. By lowering the reserve, the automated market maker price collapsed, enabling the malicious actor to extract the remaining funds. Slowmist did not disclose the attacker’s identity and noted that recovery of the stolen USDC remains uncertain.
Impact on Investors and the Crypto Market
Investors holding DIP now face a reduced token price and diminished confidence in the underlying blockchain protocol. The incident underscores the need for rigorous code audits, especially for fee‑on‑transfer tokens that interact with decentralized exchange routers. As the crypto market watches, the breach serves as a cautionary tale for developers seeking to protect liquidity and maintain investor trust.