Decentralized exchange KiloEx says $7.5M exploit has been contained

Decentralized exchange KiloEX has confirmed it has suspended usage of its platform and is tracing stolen funds after suffering a $7.5 million exploit. 

The exploit has been contained, with use of the platform suspended and an investigation underway, the KiloEX team said in an April 14 statement to X.

“The team has immediately suspended platform usage and is working with security partners to trace the flow of funds,” KiloEX said. 

“We are analyzing the attack vector and affected assets. We are collaborating with ecosystem partners to trace and recover funds where possible.” 

A bounty program and a full report on how the exploit occurred is also in the works, according to KiloEX. 

In an update, the KiloEX team said it was collaborating with BNB Chain, Manta Network, and cybersecurity firms Seal-911, SlowMist and Sherlock in an effort spanning “multiple ecosystems.” 

“Our investigation has confirmed that the stolen assets are currently being routed through zkBridge and Meson,” KiloEX said. 

“We are urgently attempting to engage with both protocols to halt ongoing transactions and prevent additional losses.” 

KiloEX attacker exploited price oracle issue, say analysts 

Cybersecurity firm PeckShield said in an April 14 post to X the exploiter looted $7.5 million in total, $3.3 million Base, $3.1m opBNB and $1m BSC. 

The firm has speculated the exploit is likely a “price oracle issue,” where the information used by a smart contract to determine the price of an asset is manipulated or inaccurate, leading to the exploit. 

“Our initial analysis on one transaction exploit indicates a price oracle issue,” PeckShield said. 

“The hacker exploits it to create a new position with initial given ETH/USD price of 100 and then immediately close the position with inflated ETH/USD price of 10000, netting the $3.12m profit in one single transaction.” 

Chaofan Shou, co-founder of blockchain analytics firm Fuzzland, also weighed in, speculating the exploit was likely due to a price oracle issue.

“Anyone can change the Kilo’s price oracle. They did verify that the caller shall be a trusted forwarder, though, but didn’t verify the forwarded caller,” Shou said. 

Shou added it was a “very simple vulnerability” when a user asked about the complexity of the exploit. 

The news has sent the KiloEX’s native token, Kilo, plunging over 27% to trade at $0.03596, according to CoinGecko. It’s still down over 78% from its all-time high of $0.1648, which it hit on March 27.

Related: Mantra CEO says OM token recovery ‘primary concern’ but in early stages

KiloEx was established in 2023 and is backed by Binance Labs, which is a lead investor and strategic partner. 

This exploit comes just days after the exchange announced a partnership with Dubai-based Web3 venture capitalist firm DWF Labs on April 13, which promised to expand KiloEx’s market presence and accelerate growth. 

On March 25, DWF Labs launched a $250 million Liquid Fund to accelerate the growth of mid- and large-cap blockchain projects and drive real-world adoption of Web3 technologies.

Magazine: Bitcoin eyes $100K by June, Shaq to settle NFT lawsuit, and more: Hodler’s Digest, April 6–12