KiloEx, a decentralized perpetuals trading platform incubated by YZi Labs, just hit the news with a $2 million+ exploit. This incident led to total losses of approximately $7.4 million on all chains combined. As a direct result, the cross-chain attack caused the instant suspension of all platform operations. Within hours KiloEx confirmed the incident and moved to acknowledge the breach.
In terms of actual financial damage, the exploit was more benign. This led to $3.3 million in losses on Base, $3.1 million on opBNB and $1 million on BSC. Given that this was a long-time attacker, KiloEx has contacted various protocols and platforms to blacklist the attacker's wallet. Because some of the stolen funds were in USD Coin (USDC), it became likely that USDC issuers would seek to blacklist the compromised assets.
Further investigations found that the attacker’s wallet was funded via Tornado Cash. Before the exploit, the wallet had done a round of suspicious transactions on Base, Taiko, and BNB Chain (BNB). We have pinpointed a price oracle issue as the leading cause of the exploit. This vulnerability is what gave the attacker extraordinary power to abuse this platform.
KiloEx is already working with several top blockchain security companies. Their collaboration has allowed for a deep investigation into how to best recover the stolen funds. KiloEx already began its remediation efforts by launching a bounty program. This initiative hopes to bring together that intelligence and support from across a broad security community. The platform intends to post a comprehensive postmortem report. This report will detail the particulars of the attack, the vulnerabilities exploited, and steps taken to ensure that something similar doesn’t happen again.
