Over 1,400 Liquidators Win $7.3M in DxSale Exploit

A security analyst pointed out that DxSale's old lock-in contract may contain an unverified backdoor vulnerability.

More than 1,400 liquidity pools tied to old DxSale contracts on the BNB Chain were dumped by blockchain security firms on May 29 in a $7.3 million exploit.

The attack adds to a growing list of DeFi breaches this month, as security experts warn that aging smart contracts and weak access controls are leaving protocols behind.

what happened

According to the on-chain security account PeckShieldAlert, a user named “Tahax” first identified the exploit. According to their report, attackers targeted at least 1,400 old DxSale liquidity pool contracts on the BNB Chain and siphoned about $7.3 million worth of crypto from them, hoping to hide their tracks through any swap.

PeckShield added that an address called “0xC457…FA69” transferred 2,958 BNB from the hack, worth $1.87 million, to two main wallets, and then transferred the money to several deposit addresses on Binance.

DxSale is a launchpad platform that allows crypto projects to create tokens and liquidity pools without building their own infrastructure. It was huge five years ago, with many projects launching tokens on the BNB Chain and locking LPs to the protocol.

According to Tahax, the locker still holds LPs of untouched projects for years, which founders and owners believe are safe. However, nine months ago, the DxSale deployer transferred ownership of the lock to a new wallet without any public announcement or migration notice. The rot on the chain says that the lock contract is unverified and probably has a backdoor that the attacker used.

Two days ago, it was reported that 0xC457…FA69, a new wallet backed by Baybit and possibly transferred via AnySwap, took ownership of the lock and started leaking LPs within hours.

You may also like:

DxSale itself has yet to release a statement about the exploit.

DeFi security concerns continue to grow.

The DxSale hack did not happen in isolation, the crypto sector lost at least $650 million in similar incidents in April. May has also had her fair share of attacks, including one last week where someone stole more than $11 million from Verus Bridge by exploiting a flaw in verifying payment amounts. According to security researchers, the attacker entered a small transaction that passed verification checks, triggering a large withdrawal from the bridge's inventory.

Liquidity provider TrustedVolumes was also hit for $5.9 million earlier this month after a hacker exploited vulnerabilities in its custom settlement system, with analysts suggesting that the exploit worked by verifying the protocol from another address.

THORChain was also a victim, with on-chain sleuth ZachXBT saying it may have lost more than $10 million, with the RUNE token dropping 15% in minutes.

This unrelenting flow of exploits has prompted a response, with Openzeppelin founder Manuel Araoz declaring that “all DeFi is insecure” as AI-powered attackers are finding vulnerabilities faster than security teams can fix them.