KiloEx

KiloEx Hack - April 2025

The Exploit

In April 2025, KiloEx, a decentralized exchange (DEX), was the victim of a $7.5 million hack. The attackers performed a price oracle manipulation attack to exploit the DEX.

Technical Details

Inadequate access controls and input validation enabled an attacker to submit a transaction that executed a chain of function calls that artificially lowered and raised the perceived value of various tokens. One example transaction on the Base network shows the attacker entering a position at an ETHUSD price of $100, then immediately exiting it at $10,000, netting $3.12 million in a single transaction.

Distribution of Losses

KiloEx is a multi-chain protocol, and the attacker exploited it on both Base and BSC. In total, they stole a total of about $7.5 million, including Base, opBNB, and BSC tokens.

Response and Recovery Efforts

After the hack was discovered, KiloEx offered a $750k bounty and promised not to pursue legal action if the remaining 90% of the stolen funds were returned. KiloEx later disclosed on April 18th that it would drop all legal actions and still reward the hacker with the promised white hat bounty.

The DEX released its security incident post-mortem report on April 21st, explaining the root cause of the incident and reviewing the timeline of events.

Sources

• https://www.halborn.com/blog/post/explained-the-kiloex-hack-april-2025

• https://www.thebyteline.com/news/kiloex-exploit-leads-7-5m-loss-across-base-bsc-opbnb

• https://crypto.news/kiloex-perpetual-dex-loses-7-4m-in-price-oracle-exploit/

• https://zycrypto.com/kiloex-dex-hacked-by-price-oracle-exploit-for-7-5-million/

• https://blockonomi.com/kiloex-dex-experiences-7-5-million-security-breach-due-to-price-oracle-vulnerability