KiloEx: Uncovering the $7.5 Million Oracle Exploit | Newsletter Crypto Hack

A Deep Dive into the $7.5 Million KiloEx Oracle Exploit, Multi-Chain Vulnerabilities, Audit Failures, and the Ongoing Search for Accountability in Decentralized Finance (DeFi)

May 02, 2025

TL;DR

KiloEx suffered a $7.5 million exploit due to a critical oracle access control flaw. The attacker manipulated prices across multiple chains after funding via Tornado Cash. Despite five audits, the vulnerability went undetected. KiloEx has suspended operations, filed a police report, and is pursuing recovery while addressing security concerns post-incident.

KiloEx, a multi-chain perpetual protocol, suffered a significant security breach resulting in a $7.5 million loss after an attacker exploited a vulnerability in its oracle system.

The attack was executed through a wallet funded via Tornado Cash, enabling the perpetrator to bypass traceability. Despite its recent expansion across Base, BNB Chain, and Taiko, the protocol failed to address a critical flaw in its oracle implementation.

The exploit did not rely on a sophisticated zero-day vulnerability; instead, it capitalized on a basic oversight, described as “the digital equivalent of walking through an unlocked front door.”

This lapse occurred shortly after the project received support from Binance, highlighting the contrast between its public milestones and internal security posture.

In the aftermath, KiloEx offered a 10% bounty to the attacker in hopes of recovering the stolen funds. The incident raises concerns about the reliability of security practices in emerging DeFi platforms.

As the original commentary noted, “having ‘Kilo’ in your name doesn’t automatically give you the heavyweight security needed in DeFi’s bloodsport arena.”

The security breach at KiloEx escalated rapidly, with early warnings issued by security engineer Chaofan Shou on April 14th. Shou first reported that “KiloEx_perp is hacked. $6M+ loss already. Likely due to price oracle access control issues.”

Shortly thereafter, he confirmed the vulnerability: “Anyone can change Kilo’s price oracle.”

Within just 20 minutes of Shou’s initial alert, Cyvers Alerts corroborated the scale of the exploit, announcing a "$7M HACK ALERT" spanning multiple chains. The attack spread quickly from BNB Chain to Base and Taiko, draining funds at an alarming rate.

KiloEx responded hours later by suspending all platform activity and collaborating with security firms to trace the stolen funds. The incident revealed just how fragile KiloEx's security infrastructure was, particularly its oracle access controls, which allowed unrestricted manipulation of price feeds.

The fallout demonstrates how a single overlooked vulnerability can trigger catastrophic losses across interconnected chains, turning what should have been a robust multi-chain deployment into a liability.

Exploit Details:

The exploit that led to KiloEx's $7.5 million loss required no advanced techniques, only a clear path through inadequate access controls.

According to an investigation by SlowMist, the breach stemmed from a flawed MinimalForwarder contract that failed to validate callers or verify signatures. This allowed the attacker to impersonate trusted contracts with ease.

The exploit relied on a chain of misplaced trust between four interconnected contracts: KiloPriceFeed relied on Keeper, Keeper relied on PositionKeeper, and PositionKeeper depended on MinimalForwarder. The breakdown occurred at the root, MinimalForwarder, where forged signatures and absent data validation enabled unrestricted access.

With full control of the price oracle, the attacker manipulated ETH prices at will. By first setting ETH as low as $100, opening highly leveraged long positions, then inflating prices to $10,000, they executed a rinse-and-repeat strategy to drain funds. The Base chain alone lost $3.12 million.

While Pyth Network served as the underlying oracle provider, the breach was entirely due to KiloEx’s insecure implementation. The attacker exploited this weakness without leaving substantial traces, showcasing how insecure architecture can become a gateway for massive theft.

Tracing the Attack:

The attacker behind the KiloEx exploit demonstrated a high level of coordination and preparation, beginning with the use of Tornado Cash, a well-known crypto mixer, to fund their activities.

The wallet first appeared on April 13, one day before the exploit, indicating premeditation. The originating wallet was:
0xa0fa4ab8ded0c07085d244e1981919b440f78b609e1cf8d7f8ee32d358dfdf46

From there, the attacker launched synchronized attacks across Base, BNB Chain, Taiko, opBNB, and Manta, exploiting the same vulnerability on each network. The precise timing and execution reflect deliberate targeting.

All exploits were linked to the following Ethereum address:
0x00fac92881556a90fdb19eae9f23640b95b4bcbd

Attack Details:

Base Chain:

BNB Chain:

opBNB:

Taiko:

Manta:

The attacker also used a separate Ethereum address to bridge funds:
0x551f3110f12c763D1611d5A63B5F015d1c1a954C

In total, the amount stolen is estimated at approximately $7,491,500.

By the time SlowMist’s MistTrack flagged the attacker’s addresses, the stolen funds were already being moved across various blockchain bridges, including zkBridge, deBridge, and Meson.

These once-promising cross-chain protocols, intended to enhance DeFi's borderless potential, now served as ideal avenues for the attacker to launder the stolen funds.

In response, KiloEx quickly urged "all partner protocols and platforms to blacklist this address" while working with security partners to track the flow of the stolen assets. This is becoming a common response in the DeFi space, where security breaches have become an unfortunately predictable pattern.

In such a severe security violation, what more can a platform do beyond sending a strongly worded request to the blockchain?

Consequences:

KiloEx’s response to the attack came swiftly, but it followed the familiar steps seen in many DeFi hacks: suspend trading, blacklist addresses, and trace the stolen funds. This reaction, while necessary, was akin to locking the door after the burglars had already made off with the loot.

The following day, the platform announced that the vulnerability had been identified and would be fixed soon, a revelation that seemed more like a formality than a breakthrough, after all, the damage had already been done.

It was like discovering the front door was broken after the valuables were taken.

The platform then made its offer to the hacker: return 90% of the $7.5 million, keep 10% as a "whitehat bounty," and KiloEx would even send out a tweet acknowledging the cooperation. The message, however, felt more like a desperate plea than a genuine negotiation.

Their statement, dripping with an air of desperation masked as strength, read: "Our investigation, supported by law enforcement, cybersecurity agencies, and multiple exchanges & bridge protocols, has uncovered critical information about your activities."

KiloEx’s plea to the attacker could be summarized simply: return the funds. However, the attacker has remained silent, with their wallets still untouched and holding the full $7.5 million in stolen assets.

In response, KiloEx has filed a police report in Hong Kong and stated they are cooperating with the Criminal Division, Cybercrime Unit, and cybersecurity firm SlowMist. The platform is freezing positions based on pre-attack snapshots and has promised user compensation plans, while also attempting direct on-chain communication with the attacker.

Curiously, KiloEx took the opportunity to address “rumors suggesting KiloEx may have been involved in the hack,” despite the fact that such suspicions were not prominent until the platform brought them up. This move has raised questions about whether they unintentionally invited speculation about an insider threat.

KiloEx confirmed that they had undergone five audits since June 2023. However, these assessments failed to prevent the exploit.

The most recent audit, conducted by ScaleBit in March 2025, offered a response that sidestepped responsibility. The firm stated they were “deeply saddened” by the incident but noted that “the root cause falls outside the scope of our audit.”

This raises critical concerns about audit standards. If a security audit does not account for vulnerabilities in something as fundamental as Oracle access control, what exactly is its purpose?

KiloEx now joins the long list of protocols brought down by oracle manipulation, a classic vulnerability that continues to exploit the DeFi space's weakest links.

Despite deploying on Base, BNB Chain, Taiko, and opBNB, KiloEx left its MinimalForwarder completely exposed, giving attackers direct access to $7.5 million in user funds. This was not a sophisticated hack, just a basic failure in access control that could have been prevented.

The team prioritized expansion over security, and it showed. Five audits since June 2023 failed to catch the flaw that ultimately drained the protocol. The result was a sprawling multi-chain rollout built on a compromised foundation.

Users are not interested in retroactive fixes or apologetic audit statements. They care about protocols that take security seriously from day one. When your MinimalForwarder becomes the doorway to a full treasury drain, no amount of post-mortem analysis or PR cleanup will restore trust.

Thank you for reading our latest Crypto Hack story.
Like, Subscribe and Share for more crypto hack content below.