A dormant launchpad contract from 2021 was emptied this week through a quiet ownership transfer and a one-wei fee reset — the latest in a string of BNB Chain drains that turn admin keys into the attack surface.
An attacker drained roughly $7.3 million from more than 1,400 legacy liquidity-provider positions sitting in old DxSale locker contracts on BNB Chain, security firms PeckShield and Coinsult flagged on May 29, a drain made possible not by a smart-contract bug but by a silent ownership transfer routed through roughly 80 wallets nine months earlier.
The attacker, operating from address `0xC457…FA69`, took control of the legacy locker, reduced its lock-modification fee to one wei, reset lock-expiration timestamps to 68 seconds after the Unix epoch and then batch-withdrew across 1,400-plus pools, according to Coinsult’s trace of the privileged `setFee` call. The wallet was funded from Bybit and possibly routed through AnySwap; PeckShield reported 2,958 BNB — about $1.87 million at the time of the drain — moved through two consolidation wallets and into Binance deposit addresses.
The episode crystallizes a pattern that has run through every major BNB Chain exploit of the last six months: the network’s biggest losses are coming from compromised owner keys and abused admin functions, not novel cryptographic flaws.
Access-control failures accounted for 69% of all BNB Chain losses in 2024, according to a joint Hacken / BNB Chain security report published in September. BNB Chain, the smart-contract network now ranked second by TVL at $5.37 billion behind only Ethereum, absorbed more than $200 million in exploit losses across 12 incidents last year, more than four times the $47 million it lost in 2024, according to DeFiLlama data.
DxSale, a launchpad widely used in the 2021 cycle to mint tokens and lock liquidity on BNB Chain, eventually posted an incident notice on its official X account confirming an exploit was under investigation, hours after PeckShield and Coinsult had flagged the drain. Founders of projects that had used DxSale’s locker years earlier woke up to find LPs they believed were permanently locked already on their way to mixers.
The Ownership Trail
The on-chain analyst who first flagged the incident, who posts as Tahax on X, said the DxSale deployer had silently transferred ownership of the legacy locker to a new wallet “nearly nine months ago,” around August 2025, with no public announcement and no migration path for projects whose LPs were still inside. The admin rights then walked through roughly 80 intermediate wallets before landing at the address that executed the drain, a pattern Tahax described as deliberate obfuscation of who actually controlled the contract by the time it was emptied.
The locker contract itself was unverified on BscScan, Tahax noted, leaving observers unable to inspect the upgrade path or confirm whether a deliberate backdoor was present from the start. Community researchers have raised the possibility of insider involvement, pointing to screenshots circulating on Telegram in August 2025 that advertised a service offering to unlock old DxSale LPs and claimed internal access. None of that has been proven.
The EIP-7702 Companion Pattern
The DxSale drain follows a more technically sophisticated BNB Chain incident from November, in which the launch-week protocol GANA Payment lost $3.1 million within nine days of going live. In that case, a leaked owner key was paired with an EIP-7702 delegator contract — the new batch-delegation primitive introduced by Ethereum’s Pectra upgrade and inherited by BNB Chain — to bypass the staking contract’s `onlyEOA` check and drain the vault through eight rotated-ownership iterations of a stake-unstake reward-inflation loop.
Quill Audits and SlowMist’s Yu Xian confirmed the EIP-7702 mechanism on the GANA exploit, identifying the malicious delegator at `0x7A44bD9C6095Ca7b2A6f62FE65b81924c6cAb067` and tracing the laundering: 1,140 BNB through BSC Tornado Cash, roughly $2.1 million bridged to Ethereum via deBridge and Stargate, and 346 ETH eventually fed through Ethereum Tornado Cash in incremental batches.
EIP-7702 has exceeded 25,000 wallet upgrades across Ethereum, BNB Chain and other EVM networks since Pectra activated, and BNB Chain alone hosts more than 5,200 of those accounts. Wintermute’s research team reported in May that more than 97% of EIP-7702 delegations on mainnet were pointing to a small set of copy-pasted sweeper contracts — a sign the primitive is being weaponized faster than legitimate smart-wallet use is scaling.
The Sector Backdrop
Across the broader market, PeckShield’s May tally put crypto losses at $81.7 million across 40 incidents — down 87% from April’s $647 million spike — and the firm’s bridge audit flagged eight cross-chain exploits totaling $328.6 million through the first half of May, an indication that bridges remain the year’s most-attacked category. BNB Chain’s roughly $8.1 million in May losses came almost entirely from DxSale and a smaller $815,000 Alephium Bridge incident.
BNB traded at $632 on Wednesday, down 6.1% over the prior 24 hours and 3.3% over the past week, with the broader BSC ecosystem absorbing the news against a $85 billion market cap. PancakeSwap, the chain’s dominant DEX, processed $743 million in 24-hour volume during the same window.
What Holders Can Do
DxSale users with funds in legacy lockers have limited options. The drained assets were swapped to BNB and routed through bridge and mixer services, making on-chain recovery unlikely without exchange-level cooperation. PeckShield’s flagging of Binance deposit addresses is the most plausible recovery vector, though the pattern of past BSC exploits suggests the bulk of the stolen funds will surface only through investigator-led de-mixing. Whether DxSale follows up with a compensation plan or simply silence will determine whether the rest of its still-locked liquidity stays put or rushes for the exits.
