Decentralized derivatives platform KiloEx has been exploited for an estimated $7 million after a coordinated attack targeting its oracle system, prompting the exchange to suspend all operations.
The incident, which occurred Tuesday, was carried out by an attacker using a wallet funded through the crypto anonymizer Tornado Cash. The attacker launched simultaneous strikes across the Base, BNB Chain, and Taiko blockchains, exploiting a critical vulnerability in KiloEx’s price oracle infrastructure.
By manipulating the oracle through flash loans, the attacker fed inaccurate price data into the system, allowing them to execute leveraged trades at distorted values. These artificially inflated “profits” were swiftly withdrawn before the vulnerability was detected.
In a single transaction, over $3.1 million was extracted. The attacker repeated the process across multiple chains, taking full advantage of KiloEx’s multi-chain architecture to maximize gains and complicate detection.
KiloEx has confirmed the breach, paused its platform, and is now working with partners to trace the movement of stolen funds and blacklist associated wallets. The exchange has also offered the attacker a 10% bounty if they return the remaining 90% of the stolen funds.
This event follows a series of similar oracle-based exploits across the DeFi sector, including high-profile incidents involving Mango Markets and Cream Finance, which lost $100 million and $130 million respectively.
As the investigation unfolds, KiloEx users await updates on potential fund recovery and the platform’s future roadmap.
