Verify a decision

{"actor":"system:backfill","investigation_id":"b3ddaae2-0b5a-442b-9961-ca72465cfe7a","kind":"publish","page_slug":"dlmc-token-bnb-chain-flash-loan-exploit","published_at":"2026-06-26T17:19:39.096Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"DLMC Token (BNB Chain Flash Loan Exploit)","sections":[{"content":"DLMC, described on its official website as the 'Decentralized Legacy Management Corporation,' presents itself as a blockchain-based DeFi ecosystem on BNB Chain offering automated token minting on purchases, burning on sales, liquidity pool-based price calculations, community governance, and referral rewards. The project's website (dlmc.io) claims the protocol is '100% fully decentralized,' CertiK-verified, and features renounced ownership with locked liquidity. The minimum deposit is marketed as $1. No team members, founders, or corporate registrations are publicly identified on the project's website. Contact information is limited to two email addresses and social media accounts on Facebook, X (Twitter), Instagram, YouTube, and Telegram under the handle 'DlmcOfficial.'","heading":"Project Overview","severity":"medium","sources":[{"credibility":2,"name":"DLMC official website","type":"official","url":"https://www.dlmc.io/"}]},{"content":"On June 24, 2026, at approximately 11:15 UTC, an attacker exploited a price manipulation vulnerability in the DLMC smart contract on BNB Chain, resulting in a net loss of approximately $222,560 USDT from the protocol's treasury. The attack occurred in block 106091607. The attacker's externally owned account (EOA) is identified as 0x74c4a756933d0f713facb1dea325ef511646c3b1, and profits were routed to a receiver address at 0x701bb7b460ae231dbbcfa3d87f0ab5b458429699. The vulnerable DLMC contract address is 0xf2ca2a3572b26ae7c479dc7ae36d922113b1bdf2. The attacker flash-swapped approximately 1.42 million USDT from a PancakeSwap liquidity pair and used helper contracts to execute large purchases of DLMC tokens totaling approximately $1.42 million USDT. These purchases artificially inflated the protocol's internal USDT reserves. Because the contract's internal pricing function calculated price as USDT reserves divided by circulating supply — and excluded newly minted contract-held tokens from the circulating supply denominator — the internal price of DLMC surged from approximately $0.41 to approximately $25 per token. The attacker then redeemed approximately 65,908 DLMC in referral and DAO reward tokens at the inflated price, extracting approximately 1.646 million USDT. After repaying the flash loan of approximately 1.424 million USDT, the attacker retained a net profit of approximately $222,560 USDT. TenArmor Security's monitoring system (TenArmorAlert) first publicly flagged the suspicious activity on June 25, 2026, followed by DeFi_Nerd_sec and DefimonAlerts.","heading":"Flash Loan Exploit — June 24, 2026","severity":"critical","sources":[{"credibility":2,"name":"DLMC Token on BNB Chain Loses Approximately $222,600 in Flash Loan Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/dlmc-token-on-bnb-chain-loses-approximately-222600-in-flash-loan-exploit/"},{"credibility":2,"name":"DLMC Token on BNB Chain Drained of $222,500 in Flash Loan Price Manipulation Exploit — Cryip","type":"news_article","url":"https://cryip.co/dlmc-token-flash-loan-exploit-bnb-chain/"}]},{"content":"Security researchers identified the core vulnerability as a 'self-referential pricing trap' within the protocol's _updatePrice() function. The function calculated token price as USDT reserves divided by circulating supply, but the protocol's buy function minted the majority of new DLMC tokens directly to the contract address itself (address(this)) rather than distributing them to external holders. These contract-held tokens were excluded from the circulating supply denominator. This architectural decision meant that a flash-funded deposit could disproportionately inflate the numerator (USDT reserves) while leaving the denominator (circulating supply) nearly unchanged — causing the internal price to spike dramatically within a single atomic transaction. The protocol then allowed redemption of referral and DAO reward tokens at this artificially elevated price, enabling the attacker to extract USDT from the treasury. Researchers noted that despite the project having received a CertiK smart contract verification, the audit did not catch this economic logic vulnerability. The exploit illustrates that cryptographic and code-correctness audits may not surface adversarial economic modeling flaws, particularly those involving flash loan interactions with internal pricing mechanisms.","heading":"Root Cause: Self-Referential Pricing Trap","severity":"critical","sources":[{"credibility":2,"name":"DLMC Token on BNB Chain Loses Approximately $222,600 in Flash Loan Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/dlmc-token-on-bnb-chain-loses-approximately-222600-in-flash-loan-exploit/"},{"credibility":2,"name":"DLMC Token on BNB Chain Drained of $222,500 in Flash Loan Price Manipulation Exploit — Cryip","type":"news_article","url":"https://cryip.co/dlmc-token-flash-loan-exploit-bnb-chain/"}]},{"content":"As of June 25, 2026, no public post-exploit statement, compensation plan, or remediation roadmap has been issued by the DLMC team or any identifiable representative. The protocol's claimed structure of renounced ownership means no single party retains administrative control of the contract, which may preclude unilateral patching. Community governance proposals could theoretically address the vulnerability, but no such proposals have been publicly recorded. Funds drained in the exploit remained in the attacker-controlled profit receiver address with no known recovery efforts underway. The absence of any identifiable team or formal legal entity means affected users have no identifiable party to approach for restitution.","heading":"Project Response and Recovery Outlook","severity":"high","sources":[{"credibility":2,"name":"DLMC Token on BNB Chain Loses Approximately $222,600 in Flash Loan Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/dlmc-token-on-bnb-chain-loses-approximately-222600-in-flash-loan-exploit/"}]},{"content":"The DLMC project does not publicly disclose any team members, founders, advisors, or corporate registration information on its official website or in available documentation. The protocol's design incorporates referral reward systems and DAO distributions, structural patterns that security researchers and regulators have associated with high-risk or multi-level marketing-style DeFi schemes. The project's marketing materials emphasize low entry thresholds ($1 minimum deposit) and passive reward accumulation, which are characteristics common to retail-targeting DeFi products with elevated risk profiles. While these characteristics do not confirm fraud independently, their combination with the anonymous team, the post-exploit non-response, and the economic vulnerability raises material concerns for prospective users.","heading":"Anonymity and Structural Risk Factors","severity":"high","sources":[{"credibility":2,"name":"DLMC official website","type":"official","url":"https://www.dlmc.io/"},{"credibility":2,"name":"DLMC Token on BNB Chain Drained of $222,500 in Flash Loan Price Manipulation Exploit — Cryip","type":"news_article","url":"https://cryip.co/dlmc-token-flash-loan-exploit-bnb-chain/"}]},{"content":"The following on-chain identifiers are associated with the DLMC exploit. The vulnerable DLMC smart contract is deployed on BNB Chain at address 0xf2ca2a3572b26ae7c479dc7ae36d922113b1bdf2. The attacker's externally owned account is 0x74c4a756933d0f713facb1dea325ef511646c3b1. The profit receiver address, to which the net $222,560 USDT was routed, is 0x701bb7b460ae231dbbcfa3d87f0ab5b458429699. The exploit transaction occurred in BNB Chain block 106091607. PancakeSwap was the source of the flash loan used in the attack.","heading":"On-Chain Identifiers","severity":"medium","sources":[{"credibility":2,"name":"DLMC Token on BNB Chain Loses Approximately $222,600 in Flash Loan Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/dlmc-token-on-bnb-chain-loses-approximately-222600-in-flash-loan-exploit/"},{"credibility":2,"name":"DLMC Token on BNB Chain Drained of $222,500 in Flash Loan Price Manipulation Exploit — Cryip","type":"news_article","url":"https://cryip.co/dlmc-token-flash-loan-exploit-bnb-chain/"}]}],"sources_used":[{"credibility":2,"name":"DLMC Token on BNB Chain Loses Approximately $222,600 in Flash Loan Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/dlmc-token-on-bnb-chain-loses-approximately-222600-in-flash-loan-exploit/"},{"credibility":2,"name":"DLMC Token on BNB Chain Drained of $222,500 in Flash Loan Price Manipulation Exploit — Cryip","type":"news_article","url":"https://cryip.co/dlmc-token-flash-loan-exploit-bnb-chain/"},{"credibility":2,"name":"DLMC official website","type":"official","url":"https://www.dlmc.io/"}],"summary":"DLMC (Decentralized Legacy Management Corporation) is a BNB Chain DeFi token that suffered a flash loan price manipulation exploit on June 24, 2026, resulting in a net loss of approximately $222,560 in USDT from its treasury. The project markets itself as a fully decentralized, CertiK-verified ecosystem with renounced ownership, but a design flaw in its internal price calculation allowed an attacker to drain funds in a single transaction. No team has been publicly identified, no post-exploit response has been issued, and the protocol's referral and DAO reward structure resemble patterns common in high-risk DeFi schemes.","timeline":[{"date":"2026-06-24","event":"Flash loan exploit executed at approximately 11:15 UTC in BNB Chain block 106091607. Attacker used a 1.42 million USDT PancakeSwap flash loan to inflate the internal DLMC price and drain approximately $222,560 net from the treasury.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/25/dlmc-token-on-bnb-chain-loses-approximately-222600-in-flash-loan-exploit/"},{"date":"2026-06-25","event":"TenArmorAlert, DeFi_Nerd_sec, and DefimonAlerts publicly flagged the exploit. Security reports analyzed the root cause as a self-referential pricing trap in the _updatePrice() function.","source":"CryptoTimes / Cryip","source_url":"https://cryip.co/dlmc-token-flash-loan-exploit-bnb-chain/"}]},"v":1}