KiloEx DEX Hit by $7M Loss Following Suspected Oracle Manipulation Exploit

Key Points:

• KiloEx, a decentralized exchange, experienced a $7 million loss from a sophisticated attack that targeted a flaw in its price oracle system.

• The attacker utilized Tornado Cash to fund a wallet and manipulated asset prices across several blockchain networks, including Base, BNB Chain, and Taiko.

• KiloEx has paused its operations and is working with partners to track the stolen funds and block the attacker’s wallet.

KiloEx, a decentralized exchange (DEX) focused on perpetual futures trading, fell victim to a sophisticated attack earlier on Tuesday, resulting in approximately $7 million in user losses.

The exploit affected multiple blockchain networks and seems to have been triggered by a vulnerability in the platform’s price oracle system, according to blockchain analysis firm Cyvers.

An attacker funded a wallet through Tornado Cash, a privacy tool that hides transaction trails, and carried out a series of transactions on the Base, BNB Chain, and Taiko networks. This allowed the attacker to exploit a vulnerability in KiloEx's price oracle system and manipulate asset prices.

KiloEx has confirmed the breach, suspended operations, and is now collaborating with partners to track the stolen funds and block the attacker’s wallet.

Oracles are blockchain-based tools that provide external data to smart contracts, allowing decentralized platforms to make decisions based on real-world information. For example, an oracle can tell the platform if ether (ETH) is worth $2,000 or $3,000, ensuring fair market prices for trades.

However, oracles can be vulnerable. In KiloEx's case, the attacker exploited a weakness in the platform's price oracle system, gaining unauthorized access and manipulating data by using flash loans (temporary liquidity) to trick the system into reporting false prices.

The attacker altered the oracle to display an artificially low price for ETH (e.g., $100) while opening leveraged trades. Leverage allows traders to borrow funds, so a fake price creates significant distortions. The attacker profited from this by withdrawing large sums from KiloEx’s vault.

This manipulation was repeated across the Base, BNB Chain, and Taiko networks, taking advantage of KiloEx’s cross-chain setup to maximize the attack before the platform could respond.

In one transaction, the attacker reportedly made $3.12 million in a single move.

This is not the first oracle manipulation attack in decentralized finance (DeFi). Similar incidents have targeted platforms like Mango Markets in 2022, resulting in $100 million in losses, and Cream Finance in 2021, which saw $130 million stolen.