AIDCToken Hack
Incident Overview
In 29th June 2026, the AIDCToken protocol on the BNB Chain suffered a smart contract exploit targeting its liquidity pair on PancakeSwap, resulting in a loss of approximately 220 WBNB (~$121,000).
The exploit targeted a flawed automated taxation and token burn mechanism inside the AIDCToken implementation contract. During standard sell operations, the token's internal _sellTransfer() function accumulated a massive 30% burn fee liability without properly debiting the amount from the actual seller's personal balance.
Instead, whenever a separate, standard non-pair transfer transaction occurred, it would automatically trigger the internal _executeAccumulatedBurn() function. This routine incorrectly targeted and deducted the accumulated burn liability directly from the PancakeSwap uniswapPair contract balance rather than the active seller. Following the unvalidated deduction, a sync() invocation artificially deflated the AIDC token reserves held inside the Automated Market Maker (AMM). The attacker systematically repeated this transfer-and-burn sequence to continually shrink the pool's token reserve, skewing the relative asset pricing logic. They then performed a final, massive swap to drain nearly all remaining WBNB from the liquidity pair before washing the proceeds via 22 separate 10-BNB deposits into Tornado Cash.
Vulnerable Token Contract: 0x5021d718β¦a0c6fe
Affected Pool: 0x27250332β¦b7cbd8 (PancakeV2 AIDC/WBNB Pair)
Attacker Address: 0x89eb2c99β¦116b63
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to AIDCToken, these are the critical security checks that could have prevented this incident (June 2026).
- Verify all logic paths related to Other are guarded by proper access controls and input validation
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialSources & References
Learn to Prevent the Next AIDCToken
The AIDCToken hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.