KiloEx, a decentralized perpetual futures exchange, suffered $7 million in losses across three blockchains due to a price oracle manipulation attack executed by an address funded via Tornado Cash, web3 security shop Cyvers alerted late on Monday. Per the report, an exploiter used an oracle-access control vulnerability to feed KiloEx incorrect prices, allowing the culprit to siphon funds on Base, BNB Chain and Taiko.
Oracles collect onchain data from several networks and transmit it to decentralized applications for their operations. In this case, the assailant tapped a loophole in KiloEx’s price system and made the DEX believe false market rates. They then opened leveraged positions, which can increase gains in a successful trade and vice versa, and made outsized returns because of the altered market prices. Data showed profits of over $3 million in a single transaction on KiloEx during the incident.
Also, the bad actor funded the attack wallet using Tornado Cash, an Ethereum-based privacy tool that shrouds where funds came from. KiloEx confirmed the sophisticated assault and halted the trading platform to mitigate further outflows. “The exploit has been contained,” an April 14 update from the protocol said. “The team immediately suspended platform usage and is working with security partners to trace the flow of funds. The team will release a bounty program.”
The latest update from KiloEx sought to establish communication with the hacker. According to a Tuesday post on X, the scammer may keep 10% of the stolen funds as a reward if they return 90% of the loot. “We will tweet about this resolution, acknowledging your cooperation and closing the case without further action,” the team wrote. “If you agree, please contact us at [email protected] or send an on-chain message to confirm.”
Should the exploiter snub KiloEx’s olive branch, the DEX promised to expose their identity and seek legal remedies. "If you fail to comply. We will escalate the investigation with law enforcement and cybersecurity partners. Your identity and activities will be exposed to relevant authorities. We will pursue legal action relentlessly. The choice is yours. Act now to avoid irreversible consequences,” KiloEx threatened.
Oracle flaws aren’t new to dapps. Avraham Eisenberg extracted $110 million from Mango Markets in 2022 in what he described as a “highly profitable trading strategy” by tweaking market prices on the Solana-based options trading provider. Eisenberg was convicted on fraud charges in 2024 by a federal court in Manhattan and has requested a new trial.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
