DEX KiloEx Loses $7M in Oracle Manipulation Attack

KiloEx has temporarily suspended its operations and is working with partners to track down the stolen funds and blacklist the attacker's wallet.

Author: Shaurya Malwa | Edited by: Parikshit Mishra Updated: April 15, 2025, 02:57 PM Published: April 15, 2025, 07:00 AM

What you need to know:

• Decentralized exchange KiloEx has suffered $7 million in losses as a result of a sophisticated attack that exploited a vulnerability in its price oracle system.
• The attacker used Tornado Cash to fund the wallet and manipulated asset prices across multiple blockchain networks, including Base, BNB Chain, and Taiko.
• KiloEx has temporarily suspended its operations and is working with partners to track down the stolen funds and blacklist the attacker's address.

Earlier this Tuesday, KiloEx, a decentralized exchange (DEX) for trading perpetual futures, suffered a sophisticated attack that left users with losses of around $7 million.

According to analytics firm Cyvers, the exploit was detected on multiple blockchains and appears to have been caused by a vulnerability in the platform's price oracle system.

By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy .

The attacker, using a wallet funded through Tornado Cash, a tool that hides transaction traces, made a series of transactions on the Base, BNB Chain, and Taiko networks to exploit a vulnerability in the platform's price oracle system, allowing him to manipulate asset prices.

🚨7M HACK ALERT🚨Our system has detected multiple suspicious transactions involving @KiloEx_perp across multiple chains.

An address funded via @TornadoCash has executed a number of fraudulent transactions across the $BNB, $Base, and $Taiko networks, raising approximately $7 million in… pic.twitter.com/od4UTsSrXs

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 14, 2025

KiloEx has confirmed the hack, suspended the platform, and is now working with partners to track the stolen funds and blacklist the attacker's address.

DEX offered the hacker a 10% reward if he returned 90% of the funds.

Oracles are blockchain tools that feed external data into the blockchain, where smart contracts use that information to make decisions in a financial application. So, an oracle tells the platform whether Ether (ETH) is worth $2,000 or $3,000, ensuring that trades occur at fair market prices.

However, oracles can be a weak link. In the case of KiloEx, the attacker exploited a vulnerability in the access control of the price oracle – essentially a flaw that allowed him to falsify data using flash loans (or temporary liquidity), which tricked the system into believing false prices.

The attacker manipulated the oracle to indicate an absurdly low price for ETH (e.g. $100) when opening a leveraged trading position. Leverage allows traders to borrow funds to increase their bets, so the fake price can create huge distortions.

It looked like they made a huge profit, which they then withdrew from the KiloEx vault. The attacker repeated this through Base, BNB Chain, and Taiko, exp

Источник