← All Reports

DxSale Investigation: Rug Pull Pattern & Fund Diversion Analysis

📅 2025-06-03
rug-pull dxsale bsc fund-diversion

DxSale Legacy Architecture Vulnerability Investigation Report

Date: June 2, 2026

Loss Amount: ~$7.3M

Affected Users: 1,400+ Liquidity Providers

Status: Team Blaming BSC New Features

Executive Summary

In early June 2026, DxSale—a DeFi Launchpad project—suffered an attack on its legacy liquidity vault (deployed in 2021), with approximately $7.3 million drained from over 1,400 locked liquidity pools.

This is a classic case of "Sleeping Vulnerability Awakening"—code lying dormant for 3 years, becoming catastrophic once discovered.

Attack Vector Analysis

Key Findings

  • Legacy Architecture: First-generation vault from 2021 was never properly audited or deprecated
  • Ownership Transfer: Contract ownership was secretly transferred 269 days ago, never publicly announced by the team
  • Fee-Modification Abuse: Administrators can use the fee modification mechanism to convert "locked" assets into withdrawable funds

    • Fund Flow

    | Stage | Details |

    |-------|---------|

    | Attacker Address | 0xC457...FA69 (full address requires further investigation) |

    | Main Fund Vaults | Two wallets, each receiving ~$1.87M BNB |

    | Money Laundering Channel | Multiple deposits into Binance |

    | Initial Gas Source | Attacker obtained initial gas fees through Bybit |

    Team Response: The Blame Game

    DxSale Official Statement:

    > "The vulnerability only affects the first-generation vault from 2021, related to BSC's new atomic transaction feature. The new contracts are completely safe."

    Problems with This Narrative

    • Secretly transferred permissions 269 days ago, now blaming BSC's new features?
    • If new contracts are safe, why was the old vault completely drained?
    • "First Generation Vaults" were essentially a backdoor planted by the team that was never cleaned up

    Legacy Architecture Risk Matrix

    | Vulnerability Type | Impact | Affected Architecture |

    |-------------------|--------|------------------------|

    | Fee-Modification Privilege Abuse | Locked assets can be arbitrarily withdrawn | First Generation Vaults (2021) |

    | Atomic Transaction Manipulation | Cross-chain execution exploited | BSC Interface |

    | Secret Ownership Transfer | Permission chain tracking difficult | All Historical Contracts |

    Community Response

    Blockchain analyst Tahax discovered:

    • Malicious wallet only appeared shortly before the attack
    • Attacker obtained gas fees through Bybit deposit
    • Some funds passed through obfuscation infrastructure

    Coinsult Analysis Conclusion:

    > "Fee-Modification mechanism + Legacy Asset Locking Function = Lethal Combination"

    2026 DeFi Security Data

    | Month | Attack Count | Loss Amount |

    |-------|--------------|-------------|

    | April | ~30 | $634M (Annual High) |

    | May | ~60 | $59M |

    | Early June | Ongoing | Multiple > $1M |

    Data Sources

    • PeckShieldAlert: https://x.com/PeckShieldAlert/status/2060188553079054351
    • Tahax Analysis: https://x.com/Tahax1/status/2060003698651087205
    • Coinsult: https://x.com/CoinsultAudits/status/2060015934153146757
    • DxSale Response: https://x.com/dxsale/status/2060739439744237912
    • Meterpreter Analysis: https://meterpreter.org/dxsale-liquidity-pool-exploit/

    Risk Warnings

  • 2021 Code = Time Bomb: Features considered "innovative" at the time may now be vulnerabilities
  • Regular Audits: Projects need continuous monitoring after launch, especially legacy contracts
  • Permission Transparency: Ownership transfers must publicly notify the community
  • Locked ≠ Safe: If "lockup" functionality has admin backdoors, there's no actual lock