DxSale legacy liquidity locker on BNB Chain was drained for $7.3M after attackers unlocked LP tokens from 1,400+ dormant pools.
Author: Akshat Thakur
28th May 2026 – A wallet that gained control of DxSale’s legacy liquidity locker on BNB Chain has drained approximately $7.3 million in LP tokens from more than 1,400 pools, according to on-chain investigator @Tahax1.
High Signal Summary For A Quick Glance
Alex
@aleeeexcool
@Tahax1 @dxsale @BNBCHAIN @AnySwapBot So the project decided to steal the money? Lol
🚨 BREAKING: @DxSale just drained ~$7.3M from OG @BNBCHAIN LPs DxSale ran the largest liquidity locker of 2021. Hundreds of millions sat inside it. Even $SAFEMOON was locked here The team is now mixing the funds through what looks like @anyswapbot, and funds are now untraceable https://t.co/wYOv7LsIS0
06:30 PM·May 28, 2026
ARCANE
@samuel__gram
@Tahax1 @dxsale @BNBCHAIN @AnySwapBot 7M drained from old locked LPs after silent ownership transfer? Crazy.
🚨 BREAKING: @DxSale just drained ~$7.3M from OG @BNBCHAIN LPs DxSale ran the largest liquidity locker of 2021. Hundreds of millions sat inside it. Even $SAFEMOON was locked here The team is now mixing the funds through what looks like @anyswapbot, and funds are now untraceable https://t.co/wYOv7LsIS0
04:35 PM·May 28, 2026
erdogan
@erdoganich
@Tahax1 @dxsale @BNBCHAIN @AnySwapBot Lil cocky for a guy who just stole millions dont you think @Tahax1 https://t.co/5YsVKhyKF4
🚨 BREAKING: @DxSale just drained ~$7.3M from OG @BNBCHAIN LPs DxSale ran the largest liquidity locker of 2021. Hundreds of millions sat inside it. Even $SAFEMOON was locked here The team is now mixing the funds through what looks like @anyswapbot, and funds are now untraceable https://t.co/wYOv7LsIS0
04:03 PM·May 28, 2026
Steady attention without excessive speculation.
The affected pools date back to 2021. DxSale served as the default liquidity locker for thousands of BNB Chain token launches during that era. One of the most notable victims is the original SAFEMOON liquidity pool.
As of May 28, 2026, approximately $1.74 million has already been withdrawn. An estimated $2.91 million remains at risk.
This was not a flash exploit. The attack began approximately 269 days before the drain. Around late August or early September 2025, ownership of the legacy locker contract was silently transferred.
According to analysis by @Param_eth, the ownership passed through roughly 80 intermediate wallets before landing at the final address: 0xC457…FA69. That wallet received funding through Bybit and bridge activity.
Once in control, the attacker deployed a custom drainer contract. This contract manipulated the locker’s internal parameters in a specific sequence. It set lock fees to 1 wei, essentially zero. Then it created new locks on already-locked LP positions. It backdated the unlock timestamps to January 1, 1970, known as Unix epoch zero.
That made every affected pool immediately withdrawable. The drainer looped “Unlock Token” calls across all 1,400 pools and extracted the LP tokens.
The attacker swapped the drained funds to BNB through PancakeSwap. From there, the proceeds moved through bridge and mixer services resembling @anyswapbot, making them untraceable.
DxSale has not issued any public statement about the incident. The team’s last known activity on social media predates the drain.
Timeline of the DxSale Legacy Locker Drain
DxSale debuts as a permissionless IDO launchpad and liquidity-locking platform during the early BSC expansion phase, rapidly becoming one of the ecosystem’s most widely used trust layers for retail token launches.
Thousands of projects lock liquidity through DxSale’s legacy locker contracts, including major BNB Chain-era tokens like SafeMoon. Hundreds of millions in LP tokens are committed, many using extremely long lock durations.
The original deployer quietly transfers ownership of the unverified legacy locker contract to a new wallet. No public announcement, migration warning, or user communication is issued.
Control of the contract moves through roughly 80 intermediary wallets, effectively laundering the ownership trail while maintaining admin-level access to the legacy liquidity lockers.
Ownership lands at wallet 0xC4574DDEF299e7E563971e200433e592EeaaFA69, reportedly funded through Bybit and Anyswap-linked infrastructure shortly before exploit activity begins.
A malicious contract is deployed and withdrawals begin across vulnerable legacy DxSale pools, targeting old LP positions that still relied on the compromised locker infrastructure.
Drained LP assets are swapped into BNB via PancakeSwap and routed through Anyswap-style bridge and mixer infrastructure, significantly complicating onchain tracing efforts.
Approximately $1.74M has already been drained and mixed, while another $2.91M remains exposed across legacy pools. Estimated total impact exceeds $7.3M affecting more than 1,400 pools. DxSale has not issued any public response since February 2026.
During the 2021 BSC boom, DxSale (dx.app) was one of the largest decentralized launchpad and liquidity locker platforms on BNB Chain. Projects used its locker to show that their LP tokens were safely locked. That served as a trust signal for retail investors.
Hundreds of millions of dollars sat inside DxSale’s contracts at its peak. As @Tahax1 noted, “In 2021, if you launched a token on BNB Chain, you locked your LP with DxSale. It was the trust layer for retail.”
That trust is now broken. Allegedly, the same infrastructure designed to prevent rug pulls has enabled one instead.
A critical detail stands out in this incident. The legacy locker contract was never source-verified on BscScan. That means its code was not publicly readable, and no external auditor or user could inspect its admin permissions.
For a contract that held millions in locked LP tokens over several years, this represents a significant oversight. The unverified status shielded the ownership transfer from casual on-chain monitoring.
This is not unique to DxSale. DeFi remains filled with old, unaudited contracts that still hold real value. No one actively monitors most of them. This DxSale liquidity drain illustrates what happens when legacy infrastructure meets a patient attacker.
DxSale’s locker architecture has faced scrutiny before. In 2023, security firm Decurity disclosed a vulnerability in a related Dx Protocol locker contract. That flaw also enabled unauthorized unlocking of LP tokens.
The 2023 disclosure established a precedent. It showed that the DxSale locker design had exploitable logic. It also raised questions about whether other contract versions shared the same flaw.
The story spread rapidly on X after @Tahax1’s initial thread. That thread accumulated more than 34,000 views within hours. The dominant reaction was shock and anger.
“The biggest trusted liquidity locker protocol just allegedly stole $7.3 million,” wrote @Param_eth in a corroborating analysis.
Community member @0xsadikbaba attributed the DxSale liquidity drain to a known figure dubbed the “Hash Again Scammer.” He stated, “This was not some random hacker. The backdoor existed. They knew it. They used it.” That attribution remains unverified.
Some replies dismissed the story as “fake news,” but those claims gained no traction. Multiple independent analysts confirmed consistent on-chain wallet activity matching the described exploit pattern.
Several key questions are still unanswered. The exact identity of the attacker is unclear. The attacker could be an insider with old admin keys. Alternatively, an external actor may have compromised the deployer wallet.
It is also unknown whether every project that locked liquidity on DxSale is affected, or only specific legacy pools. The final destination of all drained funds after mixing remains untraceable, according to investigators.
No law enforcement agency, exchange, or regulatory body has issued any statement or freeze order related to the incident. No major security firms like PeckShield or SlowMist have published independent analysis yet.
The DxSale liquidity drain is a stark reminder. “Locked liquidity” is only as safe as the contract holding it. When that contract has an unverified codebase and a transferable admin key, the lock is an illusion.
Users who relied on DxSale’s locker during the 2021 BSC era had no way to detect this. The trust was based on reputation, not on code verification.
For projects and investors still using legacy locker contracts on any chain, this incident underscores a clear lesson. Verify the contract source code. Monitor ownership changes. And understand that a lock is only as strong as the admin controls behind it.
This is not financial advice. Always conduct your own research before making investment decisions.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
DxSale Liquidity Drain Hits 1,400 BNB Chain Pools for $7.3M
James Wynn Accused of $WORLD Rug Pull for 3.2 SOL
StakeDAO Exploit Mints 5.4T vsdCRV on Arbitrum
GLOVE Exploit Drains $200K From WUSD.fi via Sybil Attack
DxSale Liquidity Drain Hits 1,400 BNB Chain Pools for $7.3M
James Wynn Accused of $WORLD Rug Pull for 3.2 SOL
StakeDAO Exploit Mints 5.4T vsdCRV on Arbitrum
GLOVE Exploit Drains $200K From WUSD.fi via Sybil Attack
