A decentralized finance platform, DxSale, has been drained of $7.3 million after an attacker exploited liquidity pools that had been inactive since 2021. The incident affected roughly 1,400 pools on the BNBChain, with funds siphoned from tokens that were likely abandoned by their creators.
How the exploit worked
The attacker targeted pools created during the 2021 bull run, many of which had been left untouched for years. According to on-chain data, the exploiter used a method that allowed them to withdraw the locked liquidity from these pools. DxSale confirmed the breach on its social media channels, advising users that the exploited pools were all from 2021 and had no active trading volume.
The platform urged token holders and project teams to revoke approvals for any contracts tied to those pools. The attacker managed to convert the stolen tokens into BNB and other assets, then moved the funds through multiple wallets to obscure the trail.
Impact on users and projects
For the projects that created those pools three years ago, the loss is total — the locked liquidity that was meant to back their tokens is gone. Many of those projects were likely defunct or abandoned, but a few might have remained active. DxSale said it is working with security firms and blockchain analysts to track the funds, but recovery seems unlikely given the time elapsed and the anonymity of the attacker.
The platform itself is not insolvent, but the breach raises questions about the security of stale liquidity pools on decentralized exchanges. DxSale has paused new pool creation on BNBChain while it conducts a full audit of its smart contracts.
Broader implications for DeFi
This incident highlights a persistent vulnerability in DeFi: abandoned or unmonitored liquidity pools can become ticking time bombs. Many tokens launched during the 2021 frenzy had their liquidity locked for a set period, but when that period expired, no one removed it or updated the contract. An attacker with knowledge of the old contract code can sometimes find a way to pull the funds.
DxSale is not the first platform to suffer this kind of attack, and it likely won't be the last. The total value locked in BNBChain pools from 2021 is unknown, but the $7.3 million taken represents only a fraction of what might still be vulnerable.
What DxSale is doing next
The team has implemented emergency measures, including a temporary freeze on all pool creation and a review of every active contract. They have also asked users to report any suspicious activity. A full post-mortem is expected within the next week, which will include a list of affected pool addresses and a plan to prevent similar exploits.
For now, the stolen funds remain untraced, and the attacker's identity unknown. DxSale's next move will be to strengthen its contract verification process and possibly introduce a time-lock or multisig requirement for older pools.
