The actual losses from this attack are nearly equal to its current market value.
Written by: ChandlerZ, Foresight News
On April 15, the perpetual contract DEX KiloEx announced that its treasury had been attacked, and the situation is currently under control. The KiloEx platform's functions have been suspended, and the team is working with security partners to trace the flow of funds and plans to launch a bounty program. KiloEx is analyzing the attack path and affected assets while collaborating with ecosystem partners to attempt to recover the funds. A complete report will be released soon.
On-chain data shows that KiloEx's address suffered a loss of approximately $7.4 million, with $3.3 million on the Base network, $3.1 million on the opBNB network, and $1 million on the BNB Chain.
Market data indicates that KILO has dropped over 33% in the last 24 hours, with a low price of 0.033 USDT, currently reported at 0.0346 USDT.
According to Cyvers Alerts monitoring, the root cause of this hacker attack may be a vulnerability in the access control of the price oracle.
In simple terms, the oracle should be updated with price information by trusted parties, but due to a lack of necessary permission restrictions, attackers were able to bypass the verification mechanism and arbitrarily manipulate asset prices, thus controlling contract logic.
Preliminary analysis by Pionex on one of the attack transactions indicates that this is a price oracle issue. The attacker exploited this vulnerability by setting the initial price of ETHUSD to 100 when opening a position, and then immediately closing it at an inflated ETHUSD price of 10,000, profiting approximately $3.12 million from just this transaction.
What is KiloEx?
KiloEx is a decentralized perpetual DEX focused on risk management, capital efficiency optimization, and the ecological integration of LST tokens. KiloEx participated in the recent airdrop alliance event launched by BNB Chain and the Renew Paradigm event on Manta Pacific, earning stablecoin yields by staking STONE. Additionally, KiloEx plans to launch hybrid vault and hybrid margin trading features.
KiloEx itself is a Perp DEX based on oracle pricing, similar to GMX, with its core innovations including:
- Stablecoin neutral LP with built-in hedging
- Copy Trading
- Token economics that draw on today's advanced mechanisms
In terms of financing, KiloEx has received investment from Binance Labs and was incubated in its MVB Season 6. It has also secured investments from Foresight Ventures, Crescendo Ventures, Manta Network, 7UP DAO, Poolz Finance, GTS Ventures, and several angel investors.
KiloEx completed its exclusive TGE on Binance Wallet on March 27, attracting over 70,000 users to participate in the new token offering, with subscriptions exceeding 300 times the target.
According to data from its official website, KiloEx has a total trading volume of $3.764 billion, with a current TVL of $33.84 million. DefiLlama data shows that KiloEx has an average daily trading volume of about $10 million, with a weekly trading volume of about $50 million.
Trust Crisis and Community Doubts Exposed by the Security Incident
Although the project team promptly suspended platform functions and collaborated with security agencies to trace the flow of funds, the actual losses from this attack are nearly equal to its current market value of $7.3 million, while its fully diluted valuation is only about $34.49 million. The theft of a large amount of funds from such a sizable project undoubtedly dealt a heavy blow to user confidence. Even more concerning is that, as of now, the KiloEx team has not released any details regarding user compensation mechanisms, recovery plans, or team funding response strategies, blurring the line between "hacker attack" and "whether the project team bears responsibility."
On social media platforms, many community members expressed strong dissatisfaction, believing that KiloEx lacks a clear commitment to protecting user interests at a critical moment. Some users accused the project team of "running away in a bear market" and "raising funds loudly while handling aftermath quietly," expressing concerns about platform governance and financial transparency. The rapid shift in market sentiment has also led to a significant drop of over 30% in the KILO token in a short period.
The KiloEx incident, although still in the early stages of event handling, has revealed the core contradiction of a new round of decentralized protocol "sustainability testing": security is not a post-response issue after the project goes live, but rather a responsibility setting at the initial architecture stage. Especially since KiloEx was incubated by Binance Labs and participated in the airdrop alliance, the trust foundation between its core user base and the platform is built on the perception of "official endorsement." If the project team cannot present a clear responsibility plan, regardless of whether the funds are recovered, market confidence in its "safety and controllability" will be fundamentally weakened, potentially affecting the reputation of its ecological collaboration network.
Structural Challenges Amid Frequent Security Incidents: Not Just a KiloEx Issue
Meanwhile, the Web3 space has recently seen a surge in negative events related to security, further exacerbating the industry's trust crisis. Shortly after KiloEx was hacked, Odin.fun co-founder Bob Bodily tweeted yesterday that his account appeared to have been hacked, and the incident is still being processed. Previously, users reported that their associated account assets were emptied, suspected to be stolen. The extension of hacker attacks from project contracts to founders' personal assets indicates that current attackers are no longer limited to technical vulnerabilities but are conducting systematic attacks through multidimensional permissions, social engineering, and operational loopholes, which poses higher-level security governance requirements for project teams.
Particularly concerning is that some small and medium-sized DEXs currently use on-chain oracles for pricing in their design, but there are still significant shortcomings in access control, permission verification, and abnormal behavior alerts. From the perspective of the entire Web3 industry, issues such as the lack of compensation mechanisms, imbalanced permission configurations, and power vacuums in token governance are gradually becoming red line indicators in the new generation of community investment evaluation logic. In the past, the market often focused more on product design and token return models, but with the frequent occurrence of security incidents and tightening regulations, whether projects can establish a "prevention + freezing during incidents + compensation after incidents" full-chain mechanism will become a core variable in whether users and capital continue to support them.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
