KiloEx Suffers Security Breach Resulting In $7M Loss, Suspends Operations And Initiates Investigation
In Brief
KiloEx suffered a $7 million security breach caused by a smart contract vulnerability that allowed an attacker to manipulate oracle prices across multiple chains.
Decentralized trading platform KiloEx has disclosed that it experienced a security breach, during which its vault system was compromised. The platform has advised all associated protocols and partners to immediately blacklist the implicated wallet address in an effort to prevent any additional malicious transactions.
KiloEx stated that the situation has been brought under control. As a precaution, the platform has suspended operations and is actively collaborating with security specialists to trace the movement of the stolen funds. Additionally, KiloEx plans to introduce a bounty program aimed at encouraging assistance in the investigation.
At present, the team is conducting a detailed analysis of the breach, including identifying the method of attack and the specific assets affected. They are also working with other players in the ecosystem to support efforts to track and potentially recover the compromised funds. A full incident report is currently being prepared and will be made available to the community in the near future.
According to blockchain security firm Peckshield, unusual transaction activity spanned multiple blockchain networks. An address that initially received funds through the privacy protocol Tornado Cash has been observed conducting a series of coordinated transactions that appear exploitative in nature. These activities have been carried out across the BNB Chain, Base, and Taiko networks, resulting in an estimated accumulation of approximately $7 million in assets.
Shortly after the incident, another blockchain security firm, SlowMist provided its findings, pointing to a lack of access control in the top-level contract, known as MinimalForwarder, as the root cause. This vulnerability allowed an attacker to manipulate oracle pricing mechanisms.
SlowMist went on to explain the technical details of the exploit path. The function responsible for updating price data, setPrices, is part of the KiloPriceFeed contract and is intended to be called by the Keeper contract. In turn, the Keepercontract has a function, 0x7a498a61, which manages both price adjustments and position creation, and this must be triggered by the PositionKeeper contract. The PositionKeeper contract’s function 0xac9fd279 is designed to initiate calls to the Keeper contract and must be accessed through the MinimalForwarder contract.
The vulnerability lies in the execute function of the MinimalForwarder contract, which permits users to provide an arbitrary from address along with a crafted signature that bypasses the intended validation. Moreover, this function lacks restrictions on the payload of external calls. This loophole allowed the attacker to sequentially trigger a call to setPricesand alter the oracle data.
The exploit was executed by first artificially lowering the asset price to open a long position at a favorable rate. The attacker then quickly manipulated the price to an inflated level to close the position and secure profit.
What Is KiloEx?
KiloEx is a decentralized trading platform designed to offer users fast transaction speeds, real-time insights into market activity, and a user-friendly interface. It also aims to provide liquidity providers with strategies that minimize directional risk while supporting capital efficiency.
On KiloEx, the Vault acts as the direct counterparty to user trades within the decentralized system. The Vault’s performance is entirely driven by trading activity on the platform. Liquidity providers can participate by depositing supported assets—such as USDT, USDC, or other token pairs—into the Vault.
By contributing liquidity, participants help facilitate trades and, in return, may earn a share of up to 30% of the platform’s total trading revenue, based on the volume and activity generated.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
