14.04.2025
2 min
583
Due to a vulnerability in the access control system for the price oracle, attackers managed to steal $7.5 million from the KiloEx exchange. The funds are immediately transferred via zkBridge and Meson while the team tries to stop transactions.
On the night of April 15, the KiloEx exchange reported a large-scale attack. Hackers exploited a vulnerability in the MinimalForwarder smart contract, which did not check who exactly calls the oracle’s price change functions. This allowed the attacker to undervalue ETHUSD, open a position at a profit, and then immediately close it at an overvalued rate, recording $3.12 million in profit — for one transaction.
A total of $7.5 million was stolen in BNB, Base, and Taiko tokens. The KiloEx team has already stopped further withdrawals, is cooperating with BNB Chain, Manta Network, Seal-911, SlowMist, Sherlock and is preparing a report. At the same time, a reward program has been launched for the return of assets.
KiloEx is a decentralized platform for trading derivatives. Like other DeFi projects, it depends on price oracles – special programs that feed “real” market prices to the blockchain. It was at this point that the attackers played, taking advantage of the fact that there was no access rights check in the MinimalForwarder code, and in fact anyone could change the price. Similar attacks have occurred before – for example, on Mango Markets in 2022. This is another reminder that even “decentralization” does not save from human errors in the code.
Vulnerabilities in smart contracts remain the main vector of attacks on the crypto market. KiloEx exploit shows that even a single oversight in oracle access can cost millions. It is important for teams to conduct external audits, and for users to be cautious with young platforms.
