Early security tracking indicates that the DIP token contract on BNB Chain was exploited in an incident preliminarily estimated at about $110,000. The alert was tied to a PancakeSwap liquidity-pool manipulation involving DIP and AIC, with security researchers pointing to a contract-level transfer bug.
The incident was reported on June 17, while secondary coverage said the attack targeted DIP on June 16. A BlockSec Phalcon trace identifies the referenced BNB Chain transaction as 0x1c09395848a87069c9d6ddbe5adc6249510aba7a2a83479a74b4280cafb5fb29, although the accessible public materials do not provide a confirmed block timestamp or attacker address.
🚨SlowMist TI Alert🚨
💸 Loss: 111,097.596667856001191208 USDC (~$111,097.6)
🔍 Root Cause: DIP token `_transfer()` function has a missing `return` statement in the router branch (when `from` or `to` is PancakeSwap Router). This causes the same transfer to be executed twice… pic.twitter.com/yHiVUczRZi
— SlowMist (@SlowMist_Team) June 17, 2026
DIP Transfer Bug Enabled Pool Manipulation
SlowMist attributed the exploit to a missing return statement in DIP’s _transfer() function when the sender or recipient matched the PancakeSwap router. That logic caused the same transfer path to execute twice under specific conditions.
Independent technical commentary placed the vulnerable path around nexus_dip.sol:1702, where the router branch first executed super._transfer() and then continued into another unconditional transfer. That duplicate settlement broke the pool’s accounting assumptions.
The attacker reportedly used the bug to manipulate the AIC-DIP liquidity pair. Researchers said the attacker shaped the pair so its live DIP balance was twice its recorded reserve, then called skim(router) to double-drain DIP reserves and followed with sync() to lock in the distorted reserve state.
The exploit path then moved through related liquidity. The attacker drained more than 29 million AIC tokens from the manipulated AIC-DIP pair and converted the extracted value through a related AIC/USDT pool, cashing out roughly 111,097.6 USDC.
Loss Figure Remains Preliminary
The loss should still be treated as a preliminary estimate near $110,000, even though SlowMist’s public alert cited 111,097.596667856001191208 USDC. No full project post-mortem has yet confirmed the final accounting, recovery status or user-level impact.
The affected contract is described in the security analysis as the DIP token contract on BNB Chain, specifically its custom transfer logic. However, the full DIP contract address and the attacker wallet address were not visible in the accessible source material at the time of drafting.
That distinction matters because the exploit appears to have originated from token-side logic rather than a disclosed flaw in PancakeSwap’s skim() or sync() functions. Those pool functions appear to have behaved normally, while DIP’s non-standard transfer behavior created the accounting failure.
The project had not issued a complete official response covering emergency pauses, contract remediation or liquidity restoration. Until that happens, claims about final losses, attacker identity and recovery actions should remain qualified.
For now, the confirmed public trace is narrow: DIP on BNB Chain was affected, the referenced transaction hash is available, and the estimated loss remains around $110,000. The next required update is a formal technical post-mortem with the affected contract address, attacker wallet, block timestamp and remediation steps.