DxSale Liquidity Locker Exploit

On May 27, 2026, DxSale, a long-running BNB Chain launchpad and token-locker service, lost approximately $7.3 million when an attacker drained BNB from more than 1,400 legacy liquidity-locker positions dating back to 2021.

What happened

The funds sat in an old DxSale liquidity-locker contract. Roughly 269 days before the drain, the DxSale deployer quietly called transferOwnership to hand control of the legacy locker to a new wallet, with no public announcement or migration notice. Control then moved through more than 80 transactions before reaching the attacker address (0xC457…). Wielding owner privileges, the attacker manipulated unlock timestamps and cut withdrawal fees to near zero, then used EIP-7702 batch delegation and custom contracts to unlock and sweep hundreds of pools in a single coordinated flow. On-chain trackers followed roughly $1.87 million in BNB into intermediary wallets and onward to Binance deposit addresses.

Aftermath

Researchers flagged strong signs of insider involvement — including Telegram offers as far back as August 2025 claiming internal access to unlock old DxSale LPs — though others noted the same outcome could follow a private-key compromise of the privileged owner account. The drained locks were legacy positions; affected token teams and liquidity providers had little recourse, and no recovery was reported.

Why it matters

DxSale is a reminder that renounced-looking infrastructure can still carry a live privileged key. A locker exists to guarantee that funds cannot move — so a silent ownership transfer quietly inverts the entire security promise. The privileged-access pattern mirrors admin-key drains such as Munchables and the owner-key abuse at Atlantis Loans, while the rug-adjacent ambiguity recalls insider-suspected exits like Merlin DEX. Whether leak or inside job, the lesson is identical: a lock is only as trustworthy as the key behind it.