The decentralized trading platform KiloEx has confirmed it suffered a major security breach resulting in a loss of approximately $7 million.
The exploit was made possible through a vulnerability in one of the platform’s smart contracts, allowing an attacker to manipulate oracle prices across several blockchain networks. In response, KiloEx has suspended all operations and begun a full investigation into the incident.
How the Exploit Happened
According to KiloEx and blockchain security firms, the attack stemmed from a lack of access control in a key smart contract known as MinimalForwarder. The attacker used this weakness to bypass normal validation checks by submitting a forged signature and a custom from address. This allowed them to manipulate the platform’s price feed system and execute unauthorized actions.
The main point of attack was the set prices function in the KiloPriceFeed contract, which is designed to update asset prices. This function is supposed to be triggered only through a specific chain of contracts, Keeper, PositionKeeper, and MinimalForwarder. However, due to missing restrictions in the MinimalForwarder’s execute function, the attacker could interfere with the process.
By lowering asset prices, opening a long position, and then inflating the prices before closing it, the attacker was able to walk away with millions in stolen funds.
Response and Recovery Measures
KiloEx has stated that the situation is now under control. The team has contacted all partner protocols and advised them to blacklist the wallet address involved in the exploit. They are also working closely with cybersecurity experts to trace the movement of the stolen assets.
To aid the investigation, KiloEx is preparing a detailed incident report and will soon launch a bounty program, encouraging members of the crypto community to help identify the attacker or recover the lost funds.