Headline: DxSale liquidity locker exploited for $7.3M in BNB — investigators point to hidden backdoor and privileged function
DxSale, the once-popular liquidity locker used heavily for BNB Chain token launches in 2021, was hit by a roughly $7.3 million exploit that let an attacker withdraw BNB locked by more than 1,400 liquidity providers.
What happened
- Security firm PeckShield and independent analyst Tahax traced the attack to an address identified as 0xC457. That address funneled about $1.87 million in BNB into two main wallets before distributing funds to multiple Binance deposit addresses.
- The affected funds were held in DxSale lockers that had been used since 2021 for token launches and were believed to be locked and untouchable.
Technical findings and alleged backdoor
- Early chain analysis suggests the exploit stemmed from a change in contract ownership months before the withdrawals. Tahax found more than 80 transactions passing control between wallets before final control landed with the exploiter address, which then executed large-scale withdrawals.
- Web3 security firm Coinsult and on-chain researchers point to a combination of a privileged contract function (reported as a “setFee” mechanism) and a manipulated/backdated lock period that allowed balances meant to be locked to be treated as withdrawable.
- Coinsult’s on-chain write-up identified the draining contract (0xc2efbd94…01e4718), deployed about nine hours before discovery, as unverified (solc 0.8.33). The drainer reportedly hardcodes the victim locker as immutable, routes through WBNB, and gates functions in a way that enabled repeated withdrawals.
- Tahax also flagged a possible backdoor in the deployer contract that created the conditions for exploitation.
Funds movement and laundering attempts
- By the time the attack path was reconstructed, some funds had already been mixed through infrastructure that complicates tracking. Social posts and on-chain tracing indicate the attacker moved funds through apparent mixing tools (one thread cites activity resembling anyswapbot), then into multiple exchange deposit addresses — likely an attempt to cash out.
Context: a bad week for DeFi
- The DxSale breach arrives amid a surge in DeFi security incidents. DefiLlama data cited in reports shows roughly $52 million lost to exploits in May so far, following about $634 million stolen in April — the highest monthly total since February 2025.
- Recent high-profile incidents include Stake DAO’s Arbitrum sdCRV exploit, where attackers minted over 5.4 trillion vsdCRV and began swapping them for ETH; and Wasabi Protocol, which reportedly lost more than $5 million after an exposed admin key allowed contract upgrades and drains across Ethereum, Base, Berachain, and Blast.
- OpenZeppelin co-founder Manuel Aráoz warned that AI-assisted vulnerability discovery is accelerating attackers’ ability to find and exploit weaknesses, increasing systemic risk across DeFi.
Cumulative cost
- According to DefiLlama, crypto exploits have driven more than $17 billion in cumulative losses, with approximately $7.8 billion taken from DeFi protocols alone.
What to watch next
- Investigators will likely keep tracking the on-chain trail and exchange deposit addresses to recover funds or identify cash-out points. The DxSale community — and anyone with assets in legacy liquidity lockers — should audit exposure and review whether older locker contracts include privileged functions or upgradeable/deployer components that could be abused.
We’ll update as firms and exchanges disclose more information or as law enforcement and trace teams publish further findings.
Read more AI-generated news on: undefined/news
