KiloEX DEX Hacked by “Price Oracle Exploit” for $7.5 Million

KiloEX, A Decentralized Exchange (DEX) built on the BNB chain, suffered a $7.5 million attack and has suspended operations. Security analysts describe the hack as a ‘price oracle exploit.’ Binance Labs funded the DEX as part of its programme to support Binance Coin (BNB) projects. KiloEX has isolated the exploit and is now trying to track down the funds and recover the stolen tokens for its users.

The hack affected Multiple tokens because the platform has a multi-chain design, including the BNB Smart Chain, Taiko, and Base. The attacker used an address with funds sourced from Tornado Cash, leading some commentators to believe that North Korean hackers may be behind the attack due to their propensity to use mixers as part of their attacks. The attacker used MetaMask to transfer the funds. For some reason, the hacker did not target Ethereum but instead focused on withdrawing stablecoins. The stolen funds sat in separate wallets without indicating that Tornado Cash was being used to hide the tokens.

Chaofan Shou, co-founder of Fuzzland, said the attack was most likely a result of a price oracle issue because anyone can change the price oracle of KiloEX. According to Shou, there is a trusted forwarder process, but there is no verification after the forward is completed. Shou concluded that the exploit was a very simple process and, therefore, could have been prevented.

KiloEX quickly isolated the attack and suspended its platform. It reached out to other security firms to help track the funds. KiloEX developed a novel approach to dealing with the breach, rewarding anyone who helped them retrieve the stolen funds. To prevent this type of attack, KiloEX aims to create a final report outlining what went wrong.

KiloEX users predominately stored their tokens in the KiloEX vault, which just happened to be the main target of the intruders, causing maximum losses for users. KiloEX then shared the attacker’s address so that other platforms could prevent the hackers from withdrawing the stolen funds. Blacklisting addresses has become the latest strategy for platforms to prevent stolen money from entering the wider economy.

KiloEX has been around since 2023 and recently started expanding its operations. The DEX introduced more BNB-based meme tokens for users to exchange. Despite the recent attack, the DEX still has around $47.2 million in total value. In the past day, KiloEX had $31.8 million worth of activity, with $22 million invested in BTC-USDT trading.

Price Oracles serve as a gateway between the DEX and the external world. In the case of KiloEX, they grab the price of tokens like Bitcoin or Ethereum and use the data to decide how much money a trader made. The Price Oracles, therefore, can be targeted by hackers because the price could theoretically be changed to benefit the attacker. This is how the KiloEX attack happened, with the attacker manipulating the Price Oracle so that the exchange disproportionately paid out a reward. According to the transaction history, the attacker most likely set the Ethereum price to $100 and then changed the price to $10,000, making a large profit and withdrawing all the extra money. The KiloEX users, meanwhile, lost all of their hard-earned tokens within a matter of minutes.

KiloEX started its operations as perpetual DEXs became popular, with the potential of self-custody and more control over your funds. KiloEX settles all trades on-chain, meaning you have your funds immediately. However, in the attacker’s case, the ability to lock transactions allowed stolen funds to become locked, immutable, forever stolen, and legitimised by on-chain activities. KiloEX, being a DEX, offered no KYC services, allowing for anonymous transactions.