Trading Platform KiloEx Loses $7M to Hackers in Latest Breach

KiloEx, a decentralized exchange (DEX), has suffered a $7 million loss in assets following a sophisticated exploit some hours ago. At press time, the trading platform reported that investigations have been rolled out, employing the perpetrator to come to a resolution to avoid legal action.

Details of the Hack

According to blockchain analysis firm Cyver, several suspicious transactions involving the KiloEx protocol were identified across multiple chains. The hacker funded a wallet via Tornado Cash and carried out some dubious transactions on Base, Taiko, and BNB Chain.

Investigations identified a price oracle access control vulnerability as the root cause. Oracles collect on-chain data from several networks and transmit them to decentralized applications.

In the latest hack, the assailant tapped a loophole in KiloEx’s price system and made the DEX believe false market rates. They then opened leveraged positions, which can increase gains in a successful trade and vice versa, and made outsized returns because of the altered market prices.

KiloEx confirmed the sophisticated hack via their X account and suspended trading services immediately to prevent further losses. They also urged users to flag the stated address to prevent further malicious activities. To assure that the issue is under control, the team said:

“The exploit has been contained. The team has immediately suspended platform usage and is working with security partners to trace the flow of funds. The team will release a bounty program. We are analyzing the attack vector and affected assets. We are collaborating with ecosystem partners to trace and recover funds where possible.”

Per investigation by KiloEx, the hacker moved the stolen funds through cross-chain bridges zkBridge and Meson.

KiloEx Offers 10% Whitehat Bounty

Furthermore, the platform has publicly tried to communicate with the attacker. The team stated that the scammer can keep 10% of the funds if they return 90% to specific addresses within 72 hours.

This approach to hack resolution is not entirely new to the crypto sector, as other projects have recently made similar proposals to malicious attackers.