The recent activity on KiloEX, a burgeoning perpetual futures DEX, raised eyebrows amongst crypto investigators, indicating a possible hack which reportedly led to an estimated loss of over $6 million.
The alarm was first raised by investigator Chaofan Shou who noted suspicious activity on the platform. Shou pointed out that an attacker appeared to have gained control of price oracles, thereby manipulating the price information and draining the liquidity from the platform. This vulnerability meant that anyone could alter the price oracle to any value they wished.
It wasn’t long before Cyvers Alerts also began tracking the exploit, estimating that losses rapidly escalated to $7 million. Notably, this attack was multi-chain and affected tokens on BNB Smart Chain, Base, and Taiko. Multiple tokens were impacted and at this stage, the attack is still ongoing.
Interestingly, the hacker’s initial address was funded by Tornado Cash, leading to speculation that the exploit may be the work of DPRK hackers. The hacker reportedly used MetaMask for transfers and to bridge to other chains in order to target KiloEX, which operates on both BNB Smart Chain and Manta Network.
The hackers, however, did not target the Ethereum chain, opting instead for stablecoins on other networks. Around an hour after the hack, most of the stolen assets were found in known large wallets, with no apparent signs of splitting or transfers to Tornado Cash.
Among the withdrawals were USDC and USDT, and on-chain investigators are now trying to freeze these tokens. A flagged destination address on BNB Smart Chain is already carrying over $3.1 million USDT.
Following the exploit, KiloEX’s native token KILO took a significant hit, plummeting by nearly 17% from $0.049 to $0.040. This further eroded the value for airdrop recipients.
The unfortunate circumstances have once again shone a spotlight on the security vulnerabilities of DeFi projects, following the GMX exploit last month. Smart contract vulnerabilities and price determination weaknesses have created opportunities for hackers to withdraw valuable assets. This is particularly damaging for end users who provide the project’s liquidity in hopes of passive returns.
Despite being a relatively new player, having launched during the 2023 bear market, KiloEX had been gaining traction. Prior to the hack, the DEX had announced a liquidity boost event to trade some of the hottest BNB Smart Chain meme tokens. Now, the DEX carries a total value of $47.2 million, making it a potentially attractive target for hackers.
At a time when perpetual DEXs are attracting more users due to the volatile BTC market and the prospects of high-leverage trading, KiloEX had been thriving. All trades on KiloEX are settled on-chain, enabling the exploiter to lock in gains immediately. However, the platform lacks the ability to lock withdrawals. As a no-KYC exchange, it offers completely anonymous access to its trading pairs.
KiloEX had aimed to rival the likes of Hyperliquid and GMX, offering up to 100X leverage on BTC, ETH, and BNB. Despite operating on a smaller scale, KiloEX had ambitions of replicating their successful model. The DEX had raised just $750k through a combination of launchpool sales, IDO, and a strategic funding round, and had garnered support from YZi Labs and Manta Network.
