DxSale's Old LP Suffers Backdoor Attack, $7.3 Million Extracted

DxSale, as an early Launchpad platform, provided liquidity pool creation services for numerous projects during the 2021 bull market but left behind several old contracts that had not fully relinquished ownership. Similar incidents of LP extraction via exploited backdoors have occurred multiple times, reflecting the historical legacy risks in contract permission management from the rapid deployment of projects in 2021.

In terms of capital flow, the attacker quickly liquidated LP assets into BNB and transferred them to Binance by manipulating the backdoor contract, extracting and laundering the $7.3 million originally locked in the liquidity pool, typically exploiting old project permission vulnerabilities for low-cost, high-reward attack paths.

Similar backdoor attacks on PancakeSwap's old farms and Launchpads from 2021 to 2023, as well as multiple old projects being drained after being reactivated in 2024, indicate that the BNB Chain DeFi is transitioning from a phase of reckless growth to one of safety and compliance. Many old LPs from 2021 have become high-risk assets.

This fundamentally relates to regulatory changes and the restructuring of the industry chain, where old LP contracts without time locks or multi-signatures have had their permissions exploited by backdoors. The mechanism lies in the admin permissions retained by early project teams for rapid launches, which have become attack vectors years later, forcing capital to concentrate from legacy old protocols to a new generation of audited DeFi infrastructure.

ABAB News · Cognitive Law

Old contracts from 2021 have never been dormant assets but rather ticking time bombs. As long as backdoor permissions are not destroyed, $7.3 million can be silently extracted at any time. The most dangerous aspect of DeFi is not new projects, but those forgotten old permissions that still hold funds.