Exploitation of DIP Token: Bug _transfer() Drains $111,098 USDC

June 16, 2026 | BNB Smart Chain | Source: SlowMist TI Alert

SUMMARY:
SlowMist confirms the exploitation of the AIC-DIP pool on BNB Chain with a loss of 111,097.59 USDC. Cause: the _transfer() function of the DIP token lacked a return statement on the branch handling transactions via the PancakeSwap router.

"DIP" here is a separate token on BNB Chain (paired with AIC),

TECHNICAL MECHANISM:
Without a return, the execution that should have halted after one transfer continued and initiated a second transfer. The attacker exploited this by:

1. Repeatedly calling the scheme(router) to trigger double unauthorized DIP transfers.

2. Calling sync() forced the DIP reserve to plummet, distorting the AMM price.

This manipulation altered the pool composition, then drained around 29,037,659 AIC tokens, converted into USDC.

CHARACTERISTICS:
No flash loan, oracle manipulation, or stolen private keys required. A pure logic flaw in the code. Fee-on-transfer token with specific router logic on BNB Chain; any additional branch potentially conceals bugs. The attacker's identity remains undisclosed.

MARKET CONTEXT:
This loss is minor compared to major incidents this year, but it adds to the list of code-level failures. SlowMist's database records over 2,150 incidents, with cumulative losses around $37.8 billion. The DeFi sector has lost over $1 billion due to exploits this year.

SENTIMENT & IMPACT:
Investor sentiment: Bearish
Market impact: Moderate, significant for the affected tokens

REFERENCES:
https://news.bitcoin.com/es/slowmist-una-sola-linea-de-codigo-que-faltaba-provoco-una-perdida-de-111000-dolares-en-el-token-dip/
https://news.symplexia.com/2026/06/new-economy/cryptocurrency/slowmist-a-single-missing-line-of-code-drained-111000-from-the-dip-token/
https://www.cryptotimes.io/2026/06/17/dip-token-bug-drains-111k-from-pancakeswap-pool/