What caused KiloEx to be hacked by $7.5 million?

Author: Stephen Katte, CoinTelegraph; Compilation: White Water, Golden Finance

Decentralized exchange KiloEX has confirmed that its platform has suspended user usage due to a $7.5 million attack and is tracking stolen funds.

The KiloEX team said in a statement to X on April 14 that the vulnerability has been under control, the platform has been suspended and an investigation is underway.

"The team has suspended the platform immediately and is working with security partners to track the flow of funds," KiloEX said.

“We are analyzing attack vectors and affected assets. We are working with ecosystem partners to track and recover funds as much as possible.”

KiloEX said the bounty program and a complete report on the vulnerability process are also in progress.

The KiloEX team said in the latest news that they are working with BNB Chain, Manta Network, as well as cybersecurity companies Seal-911, SlowMist and Sherlock to cover “multiple ecosystems.”

“Our investigation has confirmed that the stolen assets are currently being routed through zkBridge and Meson,” KiloEX said.

“We are urgently trying to work with both agreements to stop ongoing transactions and prevent further losses.”

KiloEX attackers exploit price oracle issues, analysts say

In a post to X on April 14, cybersecurity company PeckShield said the exploiter stole a total of $7.5 million, including $3.3 million in Base, $3.1 million in opBNB and $1 million in BSC.

The company speculated that the vulnerability is likely to be a "price oracle problem", i.e., the information used by smart contracts to determine the price of assets is manipulated or inaccurate, resulting in exploitation.

"Our preliminary analysis of a transaction vulnerability shows that there is a price oracle problem," PeckShield said.

“The hacker exploited the vulnerability to create a new ETH/USD position with an initial price of 100 and then immediately closed the position at an inflated 10,000 ETH/USD price, making a net profit of $3.12 million in a single transaction.”

Chaofan Shou, co-founder of blockchain analytics firm Fuzzland, also participated, and he speculated that the vulnerability is likely caused by a price oracle problem.

"Anyone can change the price oracle of Kilo. They do verify that the caller is a trusted forwarder, but not the caller being forwarded," Shou said.

When a user asks about the complexity of exploits, Shou adds that it is a "very simple vulnerability."

According to CoinGecko data, the news caused KiloEX's native token, Kilo, to plummet by more than 27%, and the transaction price was at $0.03596. Currently, the price is still down more than 78% from the all-time high of $0.1648 set on March 27.

Founded in 2023, KiloEx is backed by Binance Labs, which is its major investor and strategic partner.

Just days after the attack, the exchange announced on April 13 that it had established a partnership with Dubai-based Web3 venture capital firm DWF Labs, which promised to expand KiloEx's market share and accelerate its growth.

On March 25, DWF Labs launched a $250 million liquidity fund to accelerate the development of medium and large blockchain projects and promote the application of Web3 technology in the real world.