A critical flaw has been exposed in decentralized perpetual exchange KiloEx. On-chain analysis has revealed that a single attacker , using a serious exploit, siphoned off around $7 million in value by manipulating oracle prices. The attack, first noted by KiloEx’s Cyver alert system, caused operational issues across three separate chains—BNB Chain, Base, and Taiko. KiloEx—known for its oracle-based pricing mechanism—now has some serious explaining to do. 7M HACK ALERTOur system has detected multiple suspicious transactions involving @KiloEx_perp across several chains. An address funded via @TornadoCash has executed a series of exploitative transactions on the $BNB , $Base , and $Taiko chains — accumulating approximately $7M in… pic.twitter.com/od4UTsSrXs — Cyvers Alerts (@CyversAlerts) April 14, 2025 The exploit happened exactly how it was planned, using a weak contract design to get at some price feeds that were not secure. That makes this a problem in decentralized finance protocols, which have many other issues besides this one. But the DeFi protocols didn’t get this by accident; they got it because the Oracle problem is hard and because it is easy to mess up access control in smart contracts. Tornado Cash Funding and Cross-Chain Exploits The activity of the attacker first set off alarms when dubious transactions were observed being sent through Tornado Cash, a privacy protocol that is commonly used to obscure the origin of funds. After that, the attacker launched a coordinated exploit campaign against the KiloEx platform, hitting it on the BNB, Base, and Taiko chains. Taking advantage of the KiloEx architecture’s MinimalForwarder contract, the actor gained the ability to control price-setting mechanisms normally restricted to certain special privileged contracts. Then, he or she used that contrived access to do a price-manipulation number on a number of assets, opening and closing positions at various distorted price levels to drain funds from the platform. The Technical Breakdown: How the Attack Unfolded The exploit centers on the MinimalForwarder contract, which did not have important access control mechanisms. This contract makes a good entry point for executing function calls across the many KiloEx smart contracts. And the exploit took advantage of this chain of operations: 1. The function setPrices in the contract KiloPriceFeed enables us to change the oracle prices. It is meant to be called under normal conditions exclusively by the contract called Keeper. 2. The 0x7a498a61 function of the Keeper contract is responsible for executing the updates on prices and when new positions are opened. This function is set up to only accept calls from the PositionKeeper contract. 3. The PositionKeeper contract contains a function, 0xac9fd279, that executes calls to the Keeper contract. This function should only be accessible through the MinimalForwarder contract. 4. Where the exploit happened: the MinimalForwarder’s execute function. The attacker found that this function could be used to spoof any “from” address by providing a fake signature. Very importantly, the function didn’t check the call data itself first, allowing the attacker to build a call that went through PositionKeeper and Keeper to end up modifying and accessing prices right at the setPrices function. The root cause of the @KiloEx_perp exploit is the lack of access control checks in the top-level contract(MinimalForwarder), which leads to the manipulation of oracle prices. The attack path is as follows: 1. The setPrices function in the KiloPriceFeed contract, which can… https://t.co/0mpPteI8JU pic.twitter.com/q0Gs5sccG8 — SlowMist (@SlowMist_Team) April 15, 2025 This exploit path allowed the attacker to first push the price down and then use the resulting artificially low price to open a long position. They then did the opposite of the first step: they pushed the price up to an absurd level, closed the position, and took the immediate profit. It was all very legal, since no actual trading took place. Aftermath and Industry Implications The overall losses across the affected chains are approximated at about 7 million dollars. Blockchain analysts have observed that the sophistication of the exploit indicates the attacker possessed a profound knowledge of KiloEx’s smart contract framework and its weaknesses. This breach renews the focus on the need for robust access controls in smart contract systems, particularly those that involve oracles and leveraged trading mechanisms. In this instance, the absence of strict caller validation permitted an attacker to construct a multi-step execution path that circumvented intended protections and granted unauthorized control over the core price-setting function. Currently, KiloEx has not provided a thorough post-mortem or stated how it plans to make whole the users it affected. Meanwhile, the decentralized finance community at large is watching the situation closely. Many of its members are using the moment as an opportunity to call for more stringent audit standards and security testing — especially in protocols that bridge multiple blockchains and seem to have a large amount of user money at stake. Events of this kind emphasize the dangers of misjudging the intricacy of smart contracts and how easily attackers can take advantage of even the smallest slipups. As DeFi keeps blossoming, the industry must shift to address the security needs of a fast-growing and ever more connected ecosystem. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news ! Image(s): Shutterstock.com
https://www.digistore24.com/redir/325658/ceobig/
