KiloEX Suffers $7.5 Million Loss in Price Oracle Exploit

KiloEX, a decentralized exchange (DEX) built on the BNB chain, recently fell victim to a significant security breach, resulting in the loss of $7.5 million. The attack, identified as a 'price oracle exploit,' has led to the suspension of KiloEX's operations as the platform works to recover the stolen funds. Binance Labs, which had funded KiloEX as part of its initiative to support Binance Coin (BNB) projects, is likely to be closely monitoring the situation.

The hack impacted multiple tokens due to KiloEX's multi-chain design, which includes the BNB Smart Chain, Taiko, and Base. The attacker utilized an address with funds sourced from Tornado Cash, a cryptocurrency mixer, raising suspicions about the involvement of North Korean hackers, known for their use of such mixers in previous attacks. The attacker employed MetaMask to transfer the funds, focusing on withdrawing stablecoins rather than targeting Ethereum. The stolen funds were found in separate wallets, with no indication of Tornado Cash being used to hide the tokens.

Chaofan Shou, co-founder of Fuzzland, attributed the attack to a price oracle issue, noting that anyone could alter the price oracle of KiloEX. Shou explained that while there is a trusted forwarder process, there is no verification after the forward is completed. This oversight allowed the exploit to occur, which Shou described as a simple process that could have been prevented with proper security measures.

In response to the attack, KiloEX quickly isolated the exploit and suspended its platform. The DEX reached out to other security firms to assist in tracking the funds and has implemented a novel approach by rewarding individuals who help retrieve the stolen funds. KiloEX aims to create a final report outlining the incident to prevent similar attacks in the future.

KiloEX users predominantly stored their tokens in the KiloEX vault, which was the primary target of the attackers, resulting in maximum losses for users. KiloEX shared the attacker’s address with other platforms to prevent the hackers from withdrawing the stolen funds, a strategy that has become increasingly common in the industry.

KiloEX, which has been operational since 2023, recently expanded its operations by introducing more BNB-based meme tokens for users to exchange. Despite the recent attack, the DEX still holds around $47.2 million in total value. In the past day, KiloEX had $31.8 million worth of activity, with $22 million invested in BTC-USDT trading.

Price Oracles act as a bridge between the DEX and the external world, providing the price of tokens like Bitcoin or Ethereum to determine trading outcomes. In the case of KiloEX, the attacker manipulated the Price Oracle by setting the Ethereum price to $100 and then changing it to $10,000, resulting in a large profit. This manipulation allowed the attacker to withdraw all the extra money, leaving KiloEX users with significant losses within minutes.

KiloEX started its operations as perpetual DEXs gained popularity, offering self-custody and more control over funds. The platform settles all trades on-chain, providing immediate access to funds. However, the attacker's ability to lock transactions resulted in stolen funds becoming immutable and legitimized by on-chain activities. As a DEX, KiloEX does not offer KYC services, allowing for anonymous transactions.