An attacker drained roughly $7.3 million in BNB from more than 1,400 liquidity provider positions held in old DxSale locker contracts, according to security firms PeckShield and Coinsult, who flagged the activity on May 28, 2026. Most of the affected liquidity had been sitting in those contracts since 2021, when DxSale was a common tool for launching tokens on BNB Chain. BNB traded at $672.55 as of May 30, up 5.8% on the day, which set the dollar value of the stolen tokens near the top of their recent range.
The mechanism behind the drain
The exploit did not rely on a bug in math or a flash loan. It used permissions that the contract already granted. Coinsult traced the drain to a privileged setFee function combined with a backdated lock configuration. The attacker first reset the locking fee to 1 wei, the smallest possible unit, which removed any cost barrier to editing locked positions. The next call set the lock expiration to a timestamp 68 seconds after the Unix epoch, a date in January 1970. That single change told the contract every position had unlocked decades ago, and the BNB was free to withdraw.
Positions that owners believed were sealed for years became open in two transactions. Because the lockers were old, many depositors had likely stopped watching them entirely.
A custody trail that went quiet
The more troubling detail is how the privileged keys got where they were. On-chain records cited by analysts show the DxSale deployer transferred ownership of a key locker contract to a new wallet roughly 269 days before the incident, with no public announcement. Admin rights then moved through about 80 separate wallet transfers, a pattern that obscured who actually controlled the contract by the time it was emptied.
That history is why community researchers, including the analyst Tahax, raised the possibility of insider involvement rather than an outside break-in. Some pointed to older signals: screenshots circulating in August 2025 described a Telegram service offering to unlock old DxSale LPs, with the operator claiming ties to the team. None of that is proven, and DxSale had not published an official statement at the time of writing. The on-chain facts, though, are not in dispute: the keys were moved, then used.
Funds did not stay still. An attacker-controlled address labeled 0xC457 routed about $1.87 million in BNB through two primary wallets and on to several deposit addresses tied to Binance, the usual pattern for cashing out before tracing tightens.
The risk that outlives a token launch
This drain is a reminder that locked liquidity is only as safe as the contract holding it and the keys behind that contract. A time lock displayed in a dashboard is a promise enforced by code someone can still control. When admin functions like fee setting and lock timing remain privileged, the lock is conditional, not absolute. The 2021 vintage matters here: code audited or assumed safe years ago can be drained the moment its ownership quietly changes hands.
For anyone still holding balances in third-party smart contracts, the practical step is to check whether old positions exist and whether the controlling contract has changed owners. The deeper lesson runs parallel to the case for holding your own keys: the fewer privileged intermediaries standing between you and your assets, the fewer ways those assets can leave without your signature. Counterparty risk does not disappear because a balance is on-chain; it just moves into the contract's permission set.
DxSale is not alone in carrying legacy infrastructure that predates current security norms. The episode sits alongside a run of recent incidents, from frozen stablecoin balances to a prosecuted DEX rug pull, where the failure point was governance and access control rather than cryptography.
Overview
An attacker exploited privileged controls in old DxSale liquidity lockers to drain about $7.3 million in BNB from more than 1,400 positions, many dating to 2021. The method combined a fee reset to 1 wei with a lock expiry backdated to 1970. Contract ownership had moved through roughly 80 wallets over 269 days before the drain, fueling insider speculation that DxSale has not yet addressed. Funds were routed toward Binance deposit addresses.
