Why trust Greenbot
A hacker stole $7.5 million from KiloEx by exploiting a flaw in the exchange’s price oracle system on April 14.
The attacker manipulated Ethereum prices, buying Ethereum at $100 and then immediately selling it at $10,000, making over $3 million in a single transaction.
Multiple blockchains were hit with losses spread across Base ($3.3 million), opBNB ($3.1 million), and BNB Smart Chain ($1 million). Security teams discovered the hacker funded their wallet through Tornado Cash, a cryptocurrency mixing service that hides transaction trails.
KiloEx confirmed the breach early on April 15 and halted all platform activities immediately. The exchange is now working with security companies like PeckShield and Cyvers to track the stolen money.
“We urge all partner protocols and platforms to block the attacker’s wallet address,” KiloEx announced. The company has also launched a bounty program, as well as offering the hacker a deal: return 90% of the funds within 72 hours and keep $750,000 (10%) as a reward.
The cross-chain nature of the attack has complicated recovery efforts. The hacker used tools like zkBridge and Meson to move funds between different blockchains, making them harder to track.
The hack caused KiloEx’s own token to drop by almost 32% in value. This cut the project’s market capitalization from $11 million to $7.5 million.
Before the hack, KiloEx held $47.2 million in user funds and was growing its business with new trading pairs. The exchange, supported by YZi Labs (formerly Binance Labs), launched in 2023 and operates across several blockchains.
This incident adds to growing concerns about price oracle vulnerabilities in decentralized finance. Oracles serve as bridges between blockchain networks and real-world data, making them critical points of failure if not properly secured.
“Anyone can change the Kilo’s price oracle. They did verify that the caller shall be a trusted forwarder, though, but didn’t verify the forwarded caller,” explained Chaofan Shou, co-founder of blockchain security firm Fuzzland.
Similar attacks have hit other platforms before, including Mango Markets ($114 million in 2022) and Hyperliquid ($6.2 million last month). These recurring incidents raise questions about the security of DeFi protocols, especially those operating across multiple blockchains.
KiloEx has threatened to take legal action if the funds aren’t returned. “Your identity and activities will be exposed to relevant authorities. We will pursue legal action relentlessly,” the exchange warned the attacker.
