KiloEx Public Price Oracle Access Control Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:20, 22 April 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/kiloexpublicpriceoracleaccesscontrolvulnerability.php}} {{Unattributed Sources}} thumb|KiloEx Logo/HomepageKiloEX is a fast-growing cryptocurrency trading platform known for its diverse offerings, including hot derivatives, meme coins, and generous new user promotions like 100 free KILO tokens and up to $200 in welcome gifts. With over $38 billion in trading volume...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

KiloEx Logo/Homepage

KiloEX is a fast-growing cryptocurrency trading platform known for its diverse offerings, including hot derivatives, meme coins, and generous new user promotions like 100 free KILO tokens and up to $200 in welcome gifts. With over $38 billion in trading volume and nearly 900,000 users, it boasts a strong community presence across platforms like Telegram and Discord. Despite a major $7.5 million exploit caused by a price oracle flaw, the breach was quickly contained, and the platform worked with top security firms to trace and recover the stolen funds—ultimately succeeding. KiloEX has since reaffirmed its commitment to user trust through security certification and ongoing transparency.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]

About KiloEx

KiloEx is a growing cryptocurrency trading platform offering various services for users interested in trading digital assets. One of its major promotions includes a giveaway for new users—upon completing their first trade in the KILO/USDT pair, users can earn 100 KILO tokens. Additionally, new signups are eligible to receive a welcome gift of up to $200. Users can also connect their wallets to unlock earning opportunities, making KiloEx attractive for both novice and seasoned crypto traders.

The platform boasts impressive statistics, with over $38 billion in total trading volume, more than $6 million in open interest, and a user base of over 878,000 individuals. It also highlights over 1 million users on its Telegram app channel, suggesting strong community engagement. KiloEx is backed by partnerships and has undergone security certification, enhancing trust among users.

KiloEx provides a variety of trading options, including hot derivatives for popular cryptocurrencies like BTC, ETH, SOL, and XRP. The platform also lists meme coins and trending assets such as FARTCOIN and BROCCOLI714. FARTCOIN, in particular, leads the top gainers list with a notable 9.95% increase. KiloEx regularly updates its new listings and features an active ecosystem that includes referral programs, affiliate opportunities, airdrops, and community support through channels like Discord and multiple localized Telegram groups.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

KiloEx lost $7.5m due to an exploit where their pricing oracle wasn't properly locked down.

Key Event Timeline - KiloEx Public Price Oracle Access Control Vulnerability
Date Event Description
April 14th, 2025 12:52:27 PM MDT Exploit Transaction On BNB/opBNB An exploit transaction on BNB which profits the exploiter 892,937.51908942 BSC-USD. Simultaneously, a transaction on opBNB profits the exploiter
April 14th, 2025 12:53:27 PM MDT Exploit Transaction On Base An exploit transaction on base which profits the exploiter 3,125,495.724597 USDC.
April 14th, 2025 1:21:00 PM MDT Chaofan Shou Tweet 1 Chaofan Shou reports that KiloEx appears to be hacked and "$6M+ loss already". The reasoning is attributed to being "[l]ikely due to price oracle access control issues."
April 14th, 2025 2:40:00 PM MDT Chaofan Shou Tweet 2 Chaofan Shou reports that anyone is able to modify the price oracle on KiloEx.
April 14th, 2025 3:49:00 PM MDT KiloEx Public Announcement KiloEx announces the security incident involving an exploit of the KiloEx Vault. They report that the breach has been contained, and include the attacker’s wallet address with a call for all partner platforms to blacklist it. In response to the attack, KiloEx has suspended platform usage and is actively working with security partners to trace the flow of funds. A bounty program will be launched, and efforts are underway to analyze the attack vector, assess the affected assets, and recover stolen funds in collaboration with ecosystem partners. A comprehensive report ia also promised to the community, with further updates to follow.
April 14th, 2025 10:21:51 PM MDT CryptoNews Article Published CryptoNews reports that decentralized exchange KiloEX has frozen its platform following a $7.5 million exploit, citing a flaw in its price oracle system that allowed attackers to manipulate ETH/USD prices for massive gains. The breach, which impacted multiple blockchain networks including BASE, opBNB, and BSC, was swiftly contained, and KiloEX is now collaborating with top security firms and blockchain partners to trace and recover the stolen funds. In the aftermath, the exchange plans to launch a bounty program to aid recovery efforts, while its native token, Kilo, has plunged over 31%, reflecting shaken investor confidence.
April 15th, 2025 11:41:17 AM MDT Decrypt News Article Decrypt reports that decentralized exchange KiloEX has suspended operations following a $7.5 million exploit, attributed to a “price oracle exploit” that manipulated asset prices to drain funds. Launched in 2023 with backing from Binance Labs, KiloEX confirmed the breach is contained and is working with security partners to trace the stolen assets. The attacker’s wallet has been identified, and users are urged to block it. While a detailed report is forthcoming, the exchange has offered the hacker a chance to return 90% of the stolen funds in exchange for leniency, warning of legal consequences otherwise.
April 18th, 2025 3:50:00 AM MDT KiloEx Reports Recovery KiloEx reports the successful recovery of all funds stolen during its recent security breach, marking a full resolution with no user losses. The exchange is now working with judicial authorities and cybersecurity experts to formally close the case and will award 10% of the recovered assets as a bounty to the white hat hacker who aided in the effort. KiloEx emphasized that no further legal action will be pursued, and the matter is considered resolved in good faith. The platform thanked its partners and community for their support, reaffirming its commitment to security, transparency, and collaboration with the ethical hacking community.
April 18th, 2025 9:36:58 AM MDT CoinDesk News Article CoinDesk reports that KiloEx has successfully recovered the full $7.5 million lost in a recent sophisticated hack that exploited its price oracle system. In response, the decentralized exchange is awarding 10% of the recovered funds to white hat hackers who helped resolve the incident. The recovery effort, coordinated with legal and cybersecurity partners, marks a rare positive outcome in the DeFi space, where most hacked funds are never returned. Following the news, KiloEx’s native token KILO surged over 14%, outperforming the broader market. The case underscores both the risks and collaborative potential within the decentralized finance ecosystem.

Technical Details

PeckShield: "Our initial analysis on one exploit tx indicates a price oracle issue. And the hacker exploits it to create a new position with initial given ETHUSD price of 100 and then immediately close the position with *INFLATED* ETHUSD price of 10000, netting the $3.12m profit in one single tx."

Total Amount Lost

PeckShield reports "a loss of ~7.5m ($3.3m in base, $3.1m in opBNB, $1m in BSC)".

The total amount lost has been estimated at $7,492,000 USD.

Immediate Reactions

"The exploit has been contained. The team has immediately suspended platform usage and is working with security partners to trace the flow of funds. The team will release a bounty program.

We are analyzing the attack vector and affected assets. We are collaborating with ecosystem partners to trace and recover funds where possible. We are preparing a full report which will be shared with the community in the coming days."

Ultimate Outcome

While KiloEX confirmed that the exploit was quickly contained and is now under investigation with the help of top blockchain security firms, the damage was already done. The exchange's native token, Kilo, suffered a sharp decline—dropping over 31% to $0.0353, and losing more than 78% of its value since its March peak. KiloEX focused on recovering the stolen assets through a bounty program and collaborative efforts with partners like BNB Chain and SlowMist. It appears that the lost funds were ultimately recovered.

Total Amount Recovered

It appears that the lost funds were ultimately recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. KiloEx - Rekt (Accessed Apr 21, 2025)
  2. Chaofan Shou - ".@KiloEx_perp is hacked. $6M+ loss already. Likely due to price oracle access control issues." - Twitter/X (Accessed Apr 21, 2025)
  3. Cyvers Alerts - "An address funded via @TornadoCash has executed a series of exploitative transactions on the $BNB, $Base, and $Taiko chains — accumulating approximately $7M in total." - Twitter/X (Accessed Apr 21, 2025)
  4. Chaofan Shou - "Anyone can change the Kilo's price oracle. lol" - Twitter/X (Accessed Apr 21, 2025)
  5. KiloEx - "Security Incident Announcement: KiloEx Vault Exploit" - Twitter/X (Accessed Apr 22, 2025)
  6. PeckShield - "The @KiloEx_perp protocol was hacked today with a loss of ~7.5m ($3.3m in base, $3.1m in opBNB, $1m in BSC)." - Twitter/X (Accessed Apr 22, 2025)
  7. Binance-Backed DEX KiloEX Suspends Operations Following $7.5 Million Exploit - Decrypt (Accessed Apr 22, 2025)
  8. KiloEx's KILO Token Surges as Funds Recovered Swiftly After ‘Sophisticated’ Hack - CoinDesk (Accessed Apr 22, 2025)
  9. Attacker Profits 3,125,495.724597 USDC - BaseScan (Accessed Apr 22, 2025)
  10. Attacker Profits 892,937.51908942 BSC-USD - BNBScan (Accessed Apr 22, 2025)
  11. Attacker Profits 2,885,961.64279485 USDT - OPBNBScan (Accessed Apr 22, 2025)
  12. Attacker Profits 40,959.971124 USDC - TaikoScan (Accessed Apr 22, 2025)
  13. Attacker Profits 100,000 USDT - Manta Network (Accessed Apr 22, 2025)
  14. Decentralized Exchange KiloEX Freezes Platform Following $7.5M Exploit - CryptoNews (Accessed Apr 22, 2025)
  15. KiloEx - "We are pleased to announce that we have successful recovery of all stolen funds related to the recent security incident. This outcome underscores our commitment to protecting user assets and fostering a secure ecosystem." - Twitter/X (Accessed Apr 22, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=KiloEx_Public_Price_Oracle_Access_Control_Vulnerability&oldid=6683"