A $7.3 million exploit targeting DxSale’s legacy liquidity lockers has sparked allegations of insider involvement after investigators uncovered suspicious ownership transfers and a suspected contract backdoor.
Key Takeaways
- DxSale lost approximately $7.3 million after an attacker drained funds from around 1,400 BNB Chain liquidity pools.
- Researchers linked the exploit to a suspected backdoor and privileged contract functions that may have allowed locked funds to be withdrawn.
- Onchain investigators have raised questions about possible insider access, citing ownership transfers and past claims involving old liquidity pool unlocks.
- The incident adds to a growing wave of DeFi exploits, with more than $52 million stolen across the sector in May alone.
What Happened?
Memecoin launch platform DxSale suffered a major security breach after an attacker drained roughly $7.3 million worth of assets from liquidity pools locked on BNB Chain. The exploit affected approximately 1,400 liquidity providers whose funds had remained locked since the platform’s peak usage during the 2021 token launch boom.
Blockchain security firms and independent analysts have since traced the attack path, uncovering evidence of suspicious contract ownership changes, hidden permissions, and possible insider knowledge that may have contributed to the breach.
#PeckShieldAlert Tahax reported that @DxSale was drained ~$7.3M from 1,400 @BNBCHAIN LPs.
— PeckShieldAlert (@PeckShieldAlert) May 29, 2026
The address 0xC457…FA69 transferred a total of 2,958 $BNB (~$1.87M) to 2 main wallets, and subsequently deposited to multiple #Binance deposit addresses. pic.twitter.com/mQRO3zwuBT
Investigators Trace Attack to Legacy Liquidity Lockers
According to blockchain security firm PeckShield, the attacker controlled wallet “0xC457” moved around 2,958 BNB, worth roughly $1.87 million, into two primary wallets before sending funds to multiple Binance deposit addresses.
The exploit specifically targeted liquidity pools that had been locked through DxSale’s locker contracts years ago. These contracts continued to hold liquidity from projects launched on BNB Chain during the platform’s rapid growth phase in 2021.
Blockchain analyst Tahax reported that the exploiter wallet appeared to be newly created and was initially funded through crypto exchange Bybit. The analyst also traced a series of ownership changes connected to the affected contracts, suggesting preparations for the exploit may have begun months before the attack occurred.
Ownership Transfers Raise Red Flags
One of the most concerning findings involves the ownership history of DxSale’s locker contracts.
Investigators claim ownership of legacy locker infrastructure was quietly transferred approximately nine months ago to a new wallet and later passed through more than 80 separate transactions. These transfers allegedly obscured the trail before ownership ultimately reached a wallet linked to the exploit.
According to Tahax, the contract deployer transferred ownership without any publicly announced migration process. The analyst alleged that a backdoor may have remained embedded within the deployer contract, creating conditions that later enabled the large scale withdrawal of funds.
The attacker then reportedly used a chain of wallets to conceal activity before executing the final drain of locked liquidity.
Security Researchers Identify Suspected Backdoor
Further analysis from Web3 security firm Coinsult pointed to a combination of privileged contract permissions and manipulated lock settings.
The firm stated that a privileged “setFee” function, combined with a backdated lock period, effectively converted assets that should have remained locked into withdrawable balances.
❗ About that DxSale locker ‘backdoor’, we have analysed it on-chain. Here is our take:
— Coinsult – Audits & Development (@CoinsultAudits) May 28, 2026
The drainer: 0xc2efbd94…01e4718, unverified, solc 0.8.33, deployed ~9h ago by 0xC4574DD…aaFA69. It hardcodes the victim locker as an immutable + WBNB for routing, and gates every function… https://t.co/POq7z2C8Pp
Coinsult explained:
“A privileged setFee plus a backdated lock turned ‘locked’ deposits into a withdrawable balance.“
Researchers believe the attacker leveraged these contract level weaknesses to repeatedly withdraw funds until the liquidity reserves were exhausted.
After the withdrawals, the stolen assets were reportedly swapped into BNB and routed through additional infrastructure that may complicate tracking efforts.
Insider Access Allegations Gain Attention
Beyond technical vulnerabilities, some investigators are focusing on possible insider involvement.
Onchain analyst Eyeonchain pointed to discussions that allegedly took place in 2025 involving individuals who claimed they could unlock old liquidity pools associated with projects launched before late 2021. According to the analyst, those individuals suggested they had access to wallets connected to DxSale’s fundraising infrastructure and sought a percentage of recovered funds as payment.
Based on these claims and the exploit’s execution, Eyeonchain argued that the attacker may have possessed insider level knowledge of the locker system. While no direct evidence has publicly confirmed insider involvement, the allegations have intensified scrutiny of the platform’s historical contract management practices.
DeFi Security Challenges Continue
The DxSale incident arrives during a difficult period for decentralized finance security.
Data from DefiLlama shows that DeFi protocols have lost roughly $52 million to exploits in May. The sector previously recorded around $634 million in losses during April, marking the highest monthly total since February 2025.
The growing frequency of attacks has fueled concerns about the security of smart contract platforms. OpenZeppelin co-founder Manuel Aráoz recently warned that advances in artificial intelligence are making it easier for attackers to discover and exploit vulnerabilities within blockchain applications.
The DxSale breach now joins a growing list of major DeFi exploits that continue to test confidence in decentralized financial infrastructure.
CoinLaw’s Takeaway
In my experience, the most concerning part of this incident is not the $7.3 million loss itself. It is the possibility that a vulnerability may have existed within critical infrastructure for years without being detected or publicly disclosed. If investigators ultimately prove insider involvement or confirm that a hidden backdoor was intentionally left behind, it would represent a serious breach of trust for users who believed their liquidity was securely locked.
I found the ownership transfers and alleged prior discussions about unlocking old liquidity pools particularly difficult to ignore. The crypto industry has made progress in security, but cases like this show that transparency and contract oversight remain just as important as innovation.
