On October 30, 2021, the BSC-based DEX BXH ("BiNANCE X Hyperchain") lost approximately $139 million when an admin private key was compromised. The attacker used it to withdraw the protocol's pooled liquidity directly. BXH's CEO publicly stated the key was likely leaked via a compromised administrator account.
What happened
BXH retained a privileged admin authority over its liquidity contracts. The key was compromised; the attacker invoked legitimate privileged withdrawal functions and drained ~$139M across the DEX's pools — no contract bug required.
Aftermath
- BXH paused, offered a bounty, and pursued recovery; minimal returns.
- Despite the size, BXH is comparatively under-remembered relative to similarly-sized 2021-2022 incidents.
Why it matters
BXH is a nine-figure single-admin-key compromise that sits on the exact same line as EasyFi ($81M), Bybit ($1.46B), and the dozens of smaller entries: the security model is the key custody, not the contract. At $139M it is one of the largest losses in the catalogue, yet structurally identical to a $300K farm rug. Its relative obscurity (versus Ronin, Wormhole) is itself instructive — incident notoriety correlates with narrative, not magnitude, which is part of why the same root cause keeps being under-weighted by builders who remember the famous bridge hacks but not the equally-large key compromises.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-bxh-hack-october-2021
- [02]coindesk.comhttps://www.coindesk.com/tech/2021/11/01/139m-bxh-exchange-hack-was-the-result-of-leaked-admin-key
- [03]forkast.newshttps://forkast.news/bxh-exploit-estimated-139m-admin-key-leakage/