Old DxSale Lockers Drained for $7.3M as Owner-Key Exploits Pile Up

An attacker drained roughly $7.3 million from more than 1,400 legacy liquidity-provider positions sitting in old DxSale locker contracts on $BNB Chain, security firms PeckShield and Coinsult flagged on May 29. The drain was made possible not by a smart-contract bug but by a silent ownership transfer routed through roughly 80 wallets nine months earlier — a "silent" transfer that, predictably, stayed silent until nine months of compounding fees had built up a target worth raiding. The attacker, operating from address 0xC457…FA69, took control of the legacy locker, reduced its lock-modification fee to one wei, reset lock-expiration timestamps to 68 seconds after the Unix epoch, and then batch-withdrew across 1,400-plus pools, according to Coinsult's trace of the privileged setFee call. The wallet was funded from Bybit and possibly routed through AnySwap; PeckShield reported 2,958 $BNB — about $1.87 million at the time of the drain — moved through two consolidation wallets and into Binance deposit addresses.

The episode crystallizes a pattern that has run through every major $BNB Chain exploit of the last six months: the network's biggest losses are coming from compromised owner keys and abused admin functions, not novel cryptographic flaws. Access-control failures accounted for 69% of all $BNB Chain losses in 2024, according to a joint Hacken / $BNB Chain security report published in September. $BNB Chain, the smart-contract network now ranked second by TVL at $5.37 billion behind only Ethereum, absorbed more than $200 million in exploit losses across 12 incidents last year, more than four times the $47 million it lost in 2024, according to DeFiLlama data. DxSale, a launchpad widely used in the 2021 cycle to mint tokens and lock liquidity on $BNB Chain, eventually posted an incident notice on its official X account confirming an exploit was under investigation, hours after PeckShield and Coinsult had flagged the drain. Founders of projects that had used DxSale's locker years earlier woke up to find LPs they believed were permanently locked already on their way to mixers. The "permanently" part, it turns out, was doing some heavy lifting.

The Ownership Trail

The on-chain analyst who first flagged the incident, who posts as Tahax on X, said the DxSale deployer had silently transferred ownership of the legacy locker to a new wallet "nearly nine months ago," around August 2025, with no public announcement and no migration path for projects whose LPs were still inside. The admin rights then walked through roughly 80 intermediate wallets before landing at the address that executed the drain, a pattern Tahax described as deliberate obfuscation of who actually controlled the contract by the time it was emptied. The locker contract itself was unverified on BscScan, Tahax noted, leaving observers unable to inspect the upgrade path or confirm whether a deliberate backdoor was present from the start. Community researchers have raised the possibility of insider involvement, pointing to screenshots circulating on Telegram in August 2025 that advertised a service offering to unlock old DxSale LPs and claimed internal access. None of that has been proven — though "we definitely did not put a backdoor in nine months ago" is not the sort of thing one typically announces in advance.

The EIP-7702 Companion Pattern

The DxSale drain follows a more technically sophisticated $BNB Chain incident from November, in which the launch-week protocol GANA Payment lost $3.1 million within nine days of going live. In that case, a leaked owner key was paired with an EIP-7702 delegator contract — the new batch-delegation primitive introduced by Ethereum's Pectra upgrade and inherited by $BNB Chain — to bypass the staking contract's onlyEOA check and drain the vault through eight rotated-ownership iterations of a stake-unstake reward-inflation loop. Quill Audits and SlowMist's Yu Xian confirmed the EIP-7702 mechanism on the GANA exploit, identifying the malicious delegator at 0x7A44bD9C6095Ca7b2A6f62FE65b81924c6cAb067 and tracing the laundering: 1,140 $BNB through BSC Tornado Cash, roughly $2.1 million bridged to Ethereum via deBridge and Stargate, and 346 ETH eventually fed through Ethereum Tornado Cash in incremental batches. EIP-7702 has exceeded 25,000 wallet upgrades across Et