Original | Odaily Planet Daily (@OdailyChina)
This morning, the on-chain contract platform KiloEx, invested by YZi Labs, was hacked, resulting in a loss of over $7 million, involving assets across multiple chains including BNB Chain and Base. According to on-chain data, the affected project token KILO has dropped 22.8% in the last 24 hours, currently priced at $0.038. As per official data, the value of KiloEx's open contracts has decreased to $6 million, and according to DefiLlama data, KiloEx's TVL currently stands at $34 million.
Next, Odaily Planet Daily summarizes the reasons for the KiloEx address hack, the team's response, and community opinions.
KiloEx Project Overview
KiloEx is a decentralized exchange focused on perpetual contract trading, aiming to provide users with a friendly trading experience. KiloEx supports multiple blockchains, including BNB Chain, opBNB, Manta, Taiko, and Base. KiloEx anchors the price of perpetual contracts to spot prices using rate differentials, ensuring stability and reliability in trading. The advantages of trading on the KiloEx platform include:
No need for native Gas tokens: Supports USDT/USDC for gas fees, eliminating the need for additional cross-chain conversions;
Signature-free trading, easy operation: No cumbersome signatures required, making the trading process smoother;
Efficient execution, close to CEX experience: Optimized trading speed enhances user interaction efficiency.
In August 2023, YZi Labs announced investments in four outstanding MVB VI projects, including the perpetual contract DEX KiloEx (the other three being the Ethereum scaling project AltLayer, the DeFi lending protocol Kinza, and the AI game Sleepless AI). Additionally, KiloEx is a member of the BNB Chain airdrop alliance program.
On March 27 of this year, Binance Wallet collaborated with PancakeSwap to launch the exclusive TGE for KiloEx (KILO), oversubscribing nearly 300 times. Furthermore, on the same day, Binance Alpha announced the listing of KiloEx (KILO).
The Root Cause of the KiloEx Hack: Access Control Vulnerability in Price Oracles
According to on-chain data monitoring, the decentralized perpetual contract protocol KiloEx suffered a hacker attack, resulting in a total asset loss of approximately $7.4 million, distributed across the Base chain (approximately $3.3 million), opBNB chain (approximately $3.1 million), and BNB Smart Chain (approximately $1 million).
The fundamental reason for this attack lies in the serious access control vulnerabilities in the price oracles of the protocol. In simple terms, oracles are supposed to be updated by trusted entities, but due to a lack of necessary permission restrictions, attackers were able to bypass the verification mechanism and arbitrarily manipulate asset prices, thereby controlling contract logic.
Analysis of the KiloEx hacked address
According to preliminary analysis by blockchain security firm PeckShield, one transaction exploiting this vulnerability was detailed. The attacker first created a new position at an abnormally low price for ETHUSD (e.g., $100), then artificially inflated the ETH/USD price to an exaggerated $10,000, and immediately closed the position with almost no actual market fluctuation, achieving massive arbitrage, with this single transaction yielding as much as $3.12 million.
**Currently, the hacker address (0x00fac92881556a90fdb19eae9f23640b95b4bcbd) is continuously transferring funds via zkBridge, with $5.4 million still untransferred.
**
KiloEx Official Response to the Theft: KiloEx Vault Attacked
In response to this major security incident, the KiloEx team promptly issued an official statement. According to the announcement, the attack targeted KiloEx's core asset module — KiloEx Vault, where hackers infiltrated the module through technical means and successfully stole a large amount of funds from the platform.
The official emphasized that after the incident, the team quickly took emergency measures, urging all integrated and cooperating protocols, trading platforms, and third-party service providers to immediately blacklist the involved hacker address to prevent further movement or laundering of the stolen assets. To encourage community efforts in investigating and tracking the funds, KiloEx announced a bug bounty program to reward individuals and organizations that can provide effective security vulnerability information or assist in asset recovery.
Additionally, KiloEx officials stated that the attack has been brought under control, and platform functions have been suspended. KiloEx is closely collaborating with several professional security agencies to track the flow of funds and analyze the attacker's technical path. The team is currently analyzing the specific methods of this attack and the affected assets, with a complete incident report expected to be released to the community in the coming days.
Lack of Specific Compensation Plan Sparks Community Discontent
Although the KiloEx team responded quickly after the incident, taking a series of measures including suspending the platform, tracking funds, and involving security agencies, the key issue that the community is most concerned about — "how will user losses be compensated" — was not mentioned in the announcement, disappointing users. Especially in light of the $7.4 million stolen amount, users are eager to know whether the platform will take responsibility and if a compensation mechanism exists, but relevant content has been absent.
This absence in the response quickly sparked a wave of skepticism in the community. The comments section of KiloEx's social media is filled with intense remarks such as "insider job," "runaway," and "self-directed performance," with some users even stating, "The current circulating market value is only $8 million, and with $7.4 million stolen, how will you compensate us?"
Currently, the KiloEx team has not made a public statement regarding the compensation issue, which may lead to a broader wave of user rights protection and asset withdrawal. Odaily Planet Daily will continue to follow up on this story.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
