DxSale, a DeFi platform on the BNB Chain, has encountered a new security incident. Multiple on-chain investigators claim that attackers transferred approximately $7.3 million in assets from old liquidity pools locked in 2021, involving about 1,400 LP pools. Following the incident, external questions about the platform's management of permissions to old contracts and internal connections within the team have rapidly intensified.
Old liquidity pools were withdrawn in a concentrated manner.
PeckShieldAlert stated that the attack primarily targeted a number of historical liquidity pools on the BNB Chain. The attackers transferred out 2,958 BNB, equivalent to approximately $1.87 million at the time, and dispersed the funds into two main wallets before they flowed to multiple Binance deposit addresses.
On-chain monitoring also revealed that ownership of these old lockers was transferred to an unverified contract approximately nine months ago, controlled by backers. The attackers used approximately 80 wallets to switch paths, making tracing easier.
A single transaction completes key operations
Investigators say the final execution address invoked a custom-designed withdrawal contract and completed key operations in a single transaction. This included driving fees down to near zero and rewinding the unlock time, ultimately withdrawing all assets from the pool in one go.
After the funds were transferred out, the relevant tokens were exchanged for BNB, and then entered a cross-chain mixing tool to further conceal the flow of funds.
Internal connections questions intensify
Following the incident, the on-chain analytics account Eyeonchain pointed some clues to the DxSale team or individuals familiar with the system. The agency stated that as early as August 2025, someone was selling a service on DxSale's Telegram channel, claiming it could unlock old LPs left over from before the end of 2021.
According to this account, the service provider claimed to have internal connections with the team and access to the wallets used in DxSale's early fundraising, charging a 20% cut of the retrieved funds. Based on these historical clues, Eyeonchain believes this attack was more likely carried out by someone with internal-level privileges or knowledge of the old system architecture, and even does not rule out the possibility of involvement from former team members.
Additional information:The report also mentioned that some funds have already flowed into Binance's deposit address, meaning that the relevant assets may face subsequent freezing. If true, the affected funds may include assets of project owners or investors who previously raised funds through DxSale.
