Root Cause

• The DCF token’s transfer mechanism enforces a forced investment. When the DCF token is sent to the the USDT-DCF liquidity pool, 5% of tokens are automatically swapped for USDT within the same pool and then added as liquidity to the USDT-DCT pool. This action triggers a swap in the USDT-DCT pool, which can be manipulated, enabling attackers to execute sandwich attacks for profit.
• Note that in this attack, "forced investment" means forcing the protocol to execute swaps at outrageous prices.

Attack Steps (based on the tx )

1. The attacker borrowed approximately 110,355,370 USDT tokens through a flash loan. Using these funds, the attacker executed two swap transactions to manipulate the PancakeSwap V2: BSC-USD-DCF 12 and PancakeSwap V2: BSC-USD-DCT 6 pools. The first transaction allowed the DCT liquidity helper to receive a significant amount of USDT during subsequent DCF token transfer processes. The second transaction was executed as a front-run attack. The price difference between the swaps is shown below:
2. The attacker transfers DCF tokens to the USDT-DCF pool, triggering a swap that converts 5% of the tokens into USDT. Due to the manipulation, a large amount of USDT is received by the DCT liquidity helper, which it subsequently used to execute a swap on the USDT-DCT pool.
3. The attacker swapped DCT to USDT on the USDT-DCT pools as a back-run attack and made a profit.

Ref

https://x.com/Phalcon_xyz/status/1860890801909190664