KiloEx, a decentralized exchange (DEX) for trading perpetual futures, was hit by a sophisticated attack earlier Tuesday that left users reeling with losses of around $7 million.
The exploit unfolded across multiple blockchain networks and appeared to stem from a vulnerability in the platform’s price oracle system, according to blockchain analysis firm Cyvers.
An attacker, using a wallet funded through Tornado Cash—a tool that obscures transaction trails—executed a series of transactions on the Base, BNB Chain, and Taiko networks, taking advantage of a flaw in the platform’s price oracle system that allowed for manipulation of asset prices.
KiloEx has since confirmed the breach, suspended platform operations, and is now working with partners to trace the stolen funds and blacklist the attacker’s wallet.
Oracles are blockchain-based tools that relay external data to a blockchain, where smart contracts use this data to make decisions for financial applications. This means the oracle informs the platform whether ether (ETH) is worth $2,000 or $3,000, ensuring that trades occur at fair market prices.
However, oracles can represent a weak link in the security chain. In KiloEx’s case, the attacker exploited a vulnerability related to the access control of the price oracle—essentially a flaw that allowed them to tamper with data using flash loans (or temporary liquidity), tricking the system into believing false prices.
The attacker manipulated the oracle to report an absurdly low price for ETH (for example, $100) when opening a leveraged trading position. Leverage permits traders to borrow funds in order to amplify their stakes, so a fake price can create massive market distortions.
This enabled the attacker to create the illusion of a vast profit, which they subsequently withdrew from KiloEx’s vault. The attacker repeated this process across Base, BNB Chain, and Taiko, exploiting KiloEx’s cross-chain setup to maximize their gains before the platform had the opportunity to react.
In one reported transaction, the attacker netted a staggering $3.12 million in a single move.
This incident is not the first of its kind; previous attacks have similarly targeted DeFi platforms through oracle manipulation. Notable examples include Mango Markets in 2022, where $100 million was stolen, and Cream Finance in 2021, resulting in losses of $130 million.
