More than 1,400 liquidity pools associated with legacy DxSale contracts on BNB Chain were drained in a $7.3 million exploit on May 29, security firms reported.
The incident adds to a growing string of DeFi breaches this month, underscoring concerns that aging smart contracts and weak access controls continue to expose protocols to attackers.
What Happened
On-chain security account PeckShieldAlert flagged the exploit after a user named “Tahax” first identified the issue. According to their report, attackers focused on at least 1,400 outdated DxSale liquidity pool contracts on BNB Chain, siphoning roughly $7.3 million in crypto. The stolen funds were routed through AnySwap in an apparent attempt to obscure the trail.
PeckShield noted that an address labeled “0xC457…FA69” moved 2,958 BNB from the compromise—approximately $1.87 million—into two primary wallets, which then distributed the funds through several deposit addresses on Binance.
DxSale is a token launchpad that enabled projects to create tokens and liquidity pools without building custom infrastructure. The platform was widely used about five years ago, and many projects that launched tokens on BNB Chain locked their liquidity pools with DxSale’s locker service.
Tahax reported that the locker still held LP tokens for projects that had lain untouched for years, and many founders and holders assumed those LPs were secure. Nearly nine months earlier, however, the DxSale deployer had transferred ownership of the locker to a new wallet without any public announcement or migration notice. The on-chain investigator said the locker contract was unverified and likely contained a backdoor, which the attacker exploited.
Two days before the exploitation was reported, the wallet 0xC457…FA69—funded from Bybit and potentially routed through AnySwap—allegedly took ownership of the locker and began draining liquidity pools within hours.
At the time of reporting, DxSale had not issued an official statement about the exploit.
DeFi Security Concerns Keep Growing
The DxSale incident is part of a broader trend of DeFi security failures. In April, the sector suffered chaotic losses from multiple incidents totaling at least $650 million. May has continued to see significant attacks: last week a bad actor exploited a verification flaw in the Verus bridge, stealing over $11 million by submitting a transaction small enough to pass checks while still enabling large withdrawals from the bridge’s reserves.
Earlier in the month, liquidity provider TrustedVolumes lost about $5.9 million after an attacker abused weaknesses in its custom settlement system—analysts concluded the exploit succeeded because authorization was validated against one address while funds were drawn from another.
THORChain was also targeted, with on-chain researchers estimating losses exceeding $10 million; the incident caused the RUNE token to plunge roughly 15% in a matter of minutes.
This pattern of incidents has prompted sharp warnings from security figures across the industry. OpenZeppelin co-founder Manuel Aráoz has gone as far as to say that “all of DeFi [is] unsafe,” arguing that AI-assisted attackers are discovering vulnerabilities faster than security teams can patch them. The wave of exploits highlights the need for better maintenance, verification, and access controls for legacy smart contracts that continue to hold significant user funds.