- KiloEx offers a 10% bounty for returning 90% of the $7.5M stolen within 72 hours and threatens legal action if not complied with.
- The exploit, causing a $7.5M loss, stemmed from the manipulation of KiloEx’s price Oracle system.
- KiloEx follows other DeFi platforms in facing attacks targeting price Oracle vulnerabilities.
On Friday, decentralized exchange KiloEx demanded as payback a large portion of the $7.5 million worth of funds exploited from its platform as payback, or else it would pursue aggressive legal action against the offender.
In a public statement posted today on X, the KiloEx team made an offer to the attacker directly, that if the remaining 90% of the stolen funds is returned within 72 hours, the attacker will be compensated with 10% of that sum, about $750,000. Failure to comply will mean being sued, and law enforcement agencies, cybersecurity firms, and independent exchanges are cooperating with the platform to take such action, the platform said.
KiloEx, a perpetual futures trading exchange based on the blockchain, announced that the addresses and identities of the attacker (or attackers) have already been determined, and the blockchain addresses have been identified. Those compromised wallets are under constant surveillance: 0x551f3110f12c763d1611d5a63b5f015d1c1a954c, 0x00fac92881556a90fdb19eae9f23640b95b4bcbd, and 0xd43b395efad4877e94e06b980f4ed05367484bf3.
The team says that these wallets could be frozen at any time if they can get the help of its network of partners.
Also, KiloEx went a step further and further incentivized the attacker by saying that the 90% restitution must be directed to different designated wallets spread across several blockchain ecosystems, such as the opBNB, BNB Chain, Base, Ethereum, and Manta networks. In return, the decentralized exchange promised to resolve the issue privately, publicly acknowledge it, and stop pursuing any further punitive measures.
The KiloEx team advised that the issue requires action before irreversible consequences occur. They asked the attacker to enter the chat using email or on-chain messaging. If the attacker does not accept the offer, the matter will become a full criminal investigation.
KiloEx Price Oracle Vulnerability Leads to $7.5M Exploit
On April 14, KiloEx’s price Oracle system was exposed to a vulnerability, which led to the security breach. Funded by the attacker, PeckShield and Cyvers confirmed that the wallet was added to Tornado Cash and then deployed the exploit on multiple blockchain networks, including Base Network, BNB Chain, and Taiko.
The attacker manipulated external price feeds, and they were then able to open highly leveraged positions based on distorted valuations of assets. It was this exploit that allowed them to siphon off huge sums on the back of KiloEx’s vaults. In one notable transaction alone, the funds were drained to more than $3.1 million in one transfer.
PeckShield reports the exploit lost the token worth $3.3 million on Base, $3.1 million on opBNB, and $1 million in BNB Smart Chain tokens.
KiloEx responded by fast suspending all trading activity and sending out alerts to affected protocols asking them blacklist the compromised addresses.
KiloEx counted the breach as contained and immediately announced a bounty initiative. Currently, the exchange is working with several blockchain security partners to trace stolen assets and attempt to recover them where possible. The aim is to publish a full incident report in the coming days.
Another Oracle Attack Adds to Growing Trend
DeFi protocols victimised by Oracle-based exploits have grown, and KiloEx now joins the list. As a result, smart contract oracles that feed real-world data to them have persisted as an attack vector.
In June 2024, a similar incident occurred to UwU Lend as it lost $19.4 million through Price Oracle tampering. KiloEx’s attack on Tornado Cash was like the one where wallets were funded through Tornado Cash, and the attack would use sents falsified price feeds to put millions in people’s accounts in minutes. If so, the protocol’s founder, Michael Patryn, better known as 0xSifu, received a bounty to where the stolen funds back at 20%.
Unfortunately, the industry is watching KiloEx as the deadline approaches. If the attacker accepts the terms, it may signal a sea change in the DeFi space, where, as exploiters give themselves up more often, the length of time they stay anonymous becomes less of a problem over time. If not, KiloEx is eager to take them through the legal and forensic avenues to be an example to the case.
