KiloEx Suffers $7 Million Loss Following Oracle Manipulation Attack
KiloEx, a decentralized exchange specializing in perpetual futures trading, has reported a staggering loss of $7 million due to a price oracle manipulation attack. This incident, which affected three different blockchains, was brought to light by web3 security firm Cyvers on Monday evening. According to Cyvers, an attacker exploited an oracle-access control vulnerability to manipulate price data, allowing them to siphon funds from KiloEx across the Base, BNB Chain, and Taiko networks.
Oracles play a crucial role in the functionality of decentralized applications by collecting and transmitting on-chain data from various networks. In this case, the assailant was able to exploit a significant loophole in KiloExs price system, tricking the platform into believing false market rates. This manipulation enabled the perpetrator to open leveraged positions, which can amplify potential gains in successful trades while also heightening risks in unfavorable scenarios. Remarkably, data indicated that the malicious actor made over $3 million in profit from a single transaction during the attack on KiloEx.
In a particularly concerning aspect of this cyber assault, the hacker funded their attack wallet through Tornado Cash, a well-known Ethereum-based privacy tool that obscures the origins of cryptocurrency transactions. Following the breach, KiloEx took immediate action by suspending its trading platform to prevent further financial outflows. In an update released on April 14, the protocol confirmed the nature of the attack and reassured users that the exploit has been contained. The KiloEx team stated they are collaborating with security experts to trace the flow of the stolen funds and announced plans for a bounty program aimed at recovering the lost assets.
In an unexpected turn, KiloEx reached out to the hacker in a bid to negotiate the return of the stolen funds. A post on X (formerly Twitter) indicated that the exchange is willing to allow the thief to keep 10% of the stolen funds as a reward for returning 90% of the assets. We will tweet about this resolution, acknowledging your cooperation and closing the case without further action, the management stated, inviting the hacker to contact them through a dedicated email address or an on-chain message.
However, should the hacker dismiss KiloEx's offer, the exchange has vowed to take further action. KiloEx warned that it would disclose the hackers identity and pursue legal recourse. If you fail to comply, we will escalate the investigation with law enforcement and cybersecurity partners. Your identity and activities will be exposed to relevant authorities, and we will pursue legal action relentlessly, the exchange cautioned, emphasizing the seriousness of the situation.
Unfortunately, vulnerabilities in oracle systems are not new to decentralized applications. A notable instance occurred in 2022 when Avraham Eisenberg executed a highly controversial trading strategy that allowed him to extract $110 million from the Mango Markets platform by manipulating market prices. In 2024, Eisenberg was convicted on fraud charges in a federal court in Manhattan but has since requested a new trial, highlighting the ongoing challenges and risks within the rapidly evolving crypto landscape.
Disclaimer: The Block is an independent media outlet committed to delivering news, research, and data within the cryptocurrency sector. As of November 2023, Foresight Ventures is a principal investor in The Block. Foresight Ventures also invests in various companies in the crypto space, including the crypto exchange Bitget, which serves as an anchor LP for Foresight Ventures. The Block maintains its independence to provide objective and timely information about developments in the cryptocurrency industry.
2025 The Block. All rights reserved. This article is intended for informational purposes only and should not be construed as legal, tax, investment, financial, or other types of advice.
