A sophisticated attack has cost the decentralized exchange KiloEx approximately 7 million USD in just a few hours. The incident once again raises alarms about oracle vulnerabilities – a pricing system that is becoming a favored target for hackers targeting DeFi projects.
Summary of the incident: Hacker exploits oracle price vulnerability to withdraw funds
KiloEx is a DEX specializing in perpetual futures trading operating on multiple blockchain networks, including Base, BNB Chain, and Taiko. According to the official announcement, earlier this week, the platform was attacked by a hacker using a wallet funded through Tornado Cash (a transaction anonymization tool), who then exploited a vulnerability in the pricing oracle system, causing the asset to be severely mispriced.
By manipulating the ETH price to an extremely low level (for example, down to $100), the attacker opened leveraged trading positions at a low price, causing the system to believe they had made a significant profit. Subsequently, the 'virtual profits' were withdrawn from KiloEx's treasury, resulting in actual losses for the platform.
How did the hacker achieve this?
Funding wallet with Tornado Cash: Helping attackers conceal the source of funds.
Using flash loans: Borrowing temporary liquidity to manipulate prices in a flash.
Oracle attack: Exploiting weaknesses in the price data control of oracles – that is, the system that informs the platform what $ETH is worth.
Leveraged trading: Opening positions with unusually low ETH prices, causing the system to mistakenly believe there are large profits.
Withdrawing funds: Taking out the “profits” that have been wrongly validated, which are in fact real money from other users.
A single transaction in the attack helped the hacker earn up to 3.12 million USD.
KiloEx's response
Immediately after discovering the incident, #KiloEx suspended all operations and confirmed they were attacked. They are coordinating with partners to:
Tracing stolen funds.
Blacklisting the hacker's wallet address.
Proposing a 'reward' of 10% for the hacker if 90% of the remaining amount is returned – a familiar tactic in DeFi to encourage asset return.
Oracle – an inherent weakness in DeFi?
#Oracle is the bridge between real-world data (such as ETH prices) and the blockchain. When manipulated, all actions based on that data – such as asset pricing, liquidation, calculating profits/losses – can be distorted.
KiloEx is not the first victim. In the past:
Mango Markets (2022): Lost 100 million USD due to oracle price manipulation.
Cream Finance (2021): Exploited leading to 130 million USD in losses.
This raises the question: Is the traditional oracle system the weakest link of current DeFi platforms?
Impact on the market and Binance users
An incident like that of KiloEx brings significant repercussions for the crypto community in general and Binance users in particular:
Trust in new DEXs is shaken, especially for platforms that have not been thoroughly audited for security.
Risks from leveraged contract trading, as asset prices can be manipulated, leading to distorted liquidation orders.
Binance users should prioritize platforms with clear audits, decentralized oracle mechanisms, or those that combine multiple price sources like Chainlink.
Conclusion: When DEXs are no longer 'absolutely safe'
The 7 million USD attack on KiloEx shows: A DEX, even one operating across multiple chains and modern, can still be taken down by a single vulnerability in the pricing system. This further emphasizes the importance of comprehensive auditing and multi-layered oracle security in the DeFi world.
If there are not soon improvements in the handling of pricing data and monitoring of flash loans, it is likely that similar attacks will continue to occur in the future.
🔍 Risk warning: The crypto and DeFi markets always carry high risks. Platforms, though decentralized, are not always absolutely safe. Users should research thoroughly before participating, especially with leveraged or newly launched products. Do not invest beyond your risk tolerance and always have a suitable capital management plan.
