IPC AI TOKEN

DESCRIPTION OF EVENTS

IPC AI token is a smart contract launched on December 31st, 2024.

"IPC exploited for $500k, hacker used swap() function to avoid beging detected as buy behavior. Thus transferTime[sender] of attack contract stays 0. Additionly he got to buy with fee=0. And when selling, nearly 50% of last sell amout got burned from pair."

"So if _isAddLP(pair) returns false: the recipient == pair: is triaged as sell in the LP, can force the transaction into the sell pathway"

"The attacker circumvented the flashloan protection mechanism and exploited the deflationary mechanism that burns tokens on the pair to drain the victim pair of ~$590K."

"The attacker repeatedly swapped IPC tokens in and out of the victim pair but did not trigger the protection logic against such behavior.

Instead of regular swapping through a router, the attacker used the low-level 'swap()' of the pair to swap out both tokens that, during IPC transfer, the reserve has not been updated.

The _isRemoveLP() compares the USDT reserve and balance on the pair and returns True, and thus _transfer() logic does not deem the IPC transfer as buy, and transferTime[recipient] is not properly updated."

"The root cause is the _destroy() function in the _transfer() function which will update the token balance of the swap thus impact the K number. We are not sure if this is a hack or rugpull."

Losses were publicly reported as $590k widely, though one source reported as $560k. Actual blockchain data appears to show a value of $592k.

Explore This Case Further On Our Wiki

On January 7th, 2025, the IPC AI token experienced an exploit, resulting in a loss of approximately $590K. The attacker leveraged the swap() function to avoid detection as a typical buy transaction, circumventing protective measures such as flashloan protection and the token’s deflationary burning mechanism. By using a low-level swap approach, the attacker repeatedly swapped IPC tokens in and out of the victim's liquidity pool (LP) without triggering buy logic or proper balance updates. The exploit took advantage of flaws in the _isAddLP() and _transfer() functions, with the attacker successfully draining the victim's pool while evading protective measures. The exact nature of the exploit, whether a hack or rugpull, remains unclear.

BNB Smart Chain Transaction Hash (Txhash) Details | BscScan  (Feb 12)
@pennysplayer Twitter (Feb 12)
@TikkalaResearch Twitter (Feb 12)
@heimdql Twitter (Feb 12)
AI IPC (IPC) Token Tracker | BscScan  (Feb 12)
@CertiKAlert Twitter (Feb 12)
Smart Contract Creation Transaction (Feb 12)
https://app.blocksec.com/explorer/tx/bsc/0x5ef1edb9749af6cec511741225e6d47103e0b647d1e41e08649caaff66942a91?line=9 (Feb 12)

More case studies

Mosca Exit Program Double
Withdrawal Exploit 1

Orange Finance Smart Contract
Private Key Compromised