Kiloex loses USD $ 7.5 million in oracle manipulation attack
By Hannah Pérez
The theft was the result of the exploitation of a fault that led to manipulation of the price oracle. Kiloex demanded that the hacker return 90% of the stolen funds or to face a relentless legal search.
***
- The Decentralized Exchange kiloex suffered an exploitation for USD $ 7.5 million.
- Hacker exploded a contract failure that led to manipulation of the price oracle.
- It extracted the funds from several blockchain networks, including base and BSC.
- The kiloex team threatened to expose the hacker if it does not return 90% of the funds.
Kiloex It is the last decentralized finance platform (Defi) to be beaten by a millionaire hacking.
Decentralized exchange (DEX) Kiloexwhich offers perpetual futures negotiation, on Tuesday faced a loss for more than USD $ 7 million in cryptocurrencies as a result of a price oracles manipulation attack.
The exploitation, which was developed in multiple networks Blockchaincame from the lack of access controls in a smart level of the platform, which led to the manipulation of oracle prices, said the security equipment of Slowmist.
The information was corroborated by Kiloex In social networks, after the team proceeded earlier to suspend the use of its platform and announce that it was tracing the funds as part of a research effort of “Multiple ecosystems“
“We are analyzing the attack vector and the affected assets. We are collaborating with ecosystem partners to track and recover funds when possible ”Kiloex wrote, indicating efforts to put the wallet of the attackers in the black lists.
Kiloex suffers oracle manipulation attack
The attacker of Kiloex would have used a wallet financed through Tornado cash To execute a series of transactions in the networks Base, BNB Chain and Taikoand thus take advantage of vulnerability in the platform price oracle system, the chain analysis firm noticed Cyvers. This allowed the attacker to manipulate asset prices.
The cybersecurity firm Peckshield He said in a separate publication in X that the exploiter withdrew USD $ 7.5 million, composed of USD $ 3.3 million in assets of BaseUSD $ 3.1 million in OPBNB and USD $ 1 million in BSC.
Oracles are tools based on Blockchain that transmit external data to a block chain. The intelligent contracts of a platform use this data to make decisions. For example, the oracle tells a DEX the price of Ether (ETH), which guarantees that operations are carried out at fair market prices. But oracles can be a weak link.
In the case of Kiloexthe attacker essentially exploded a failure that allows malicious actors to manipulate data through the use of flash loans, deceiving the system to believe false prices. In particular, The attacker cheated the system to inform an absurdly low price of ETH when opening an leverage position.
The hacker created “A new position with a given initial ETH/USD price of 100 and then immediately closed the position with an inflated ETH/USD price of 10000, obtaining the profit of USD $ 3.12 million in a single transaction“He explained Peckshield.
It is worth noting that Tornado cash It is a decentralized cryptocurrency mixer – a tool that darkens the traces of the transactions in the Blockchain which is often used by malicious actors to wash funds.
10% reward or exposure threat
In one of his latest updates, Kiloex He sought to establish communication with the attacker, offering him to keep 10% of the stolen funds as a reward if he returns 90% of the loot. They threatened to take severe actions against him otherwise.
“We will inform about this resolution, recognizing its cooperation and closing the case without further actions”, The team wrote in X.“If you agree, contact us at operation@kiloex.io or send a message in the chain to confirm. ”
The DEX has promised to expose the identity of the attacker and seek legal resources against him in case of ignoring the offer.
“If you do not comply, we will climb the investigation with the partners of application of the law and cybersecurity. Your identity and activities will be exposed to the relevant authorities. We will seek legal actions without rest. The choice is yours. Act now to avoid irreversible consequences“threatened the team of Kiloex.
To hacker:
Our Investigation, Supported by Law Enforcement, Cybersecurity Agencies, and Multiple Exchange & Bridge Protocols, you have a unknowned critical information about your activities.
We Are Actively Monitoring Your Addresses (0x551F3110F12C763D1611D5A63B5F015D1C1A954C, …
– kiloex (@kiloex_perp) April 15, 2025
Oracles problems are not new, and several Defi platforms have suffered attacks of this type in the past. Markets mango He faced in 2022 an exploitation where the identified attacker Avraham Eisenberg extracted USD $ 110 million. Eisenberg was convicted of fraud charges in 2024 by a court in New York, USA.
Hannah Estefanía Pérez / Diariobitcoin
Image of Unspash
WARNING: Diariobitcoin offers informative and educational content on various topics, including cryptocurrencies, AI, technology and regulations. We do not provide financial advice. Cryptactive investments are high risk and may not be adequate for all. Investigate, consult an expert and verify the applicable legislation before investing. I could lose all its capital.
Subscribe to our newsletter
