$7M Drained from KiloEx in Alleged Oracle Manipulation Incident

KiloEx, a decentralized exchange specializing in perpetual futures, has fallen victim to a sophisticated cross-chain exploit that resulted in the loss of roughly $7 million.

The attack, which occurred early Tuesday, involved the manipulation of the DEX’s price oracle system—a critical component that feeds real-world asset prices to blockchain applications. According to threat intelligence from Cyvers, the attacker used a wallet funded through Tornado Cash to mask their identity and executed the exploit across the Base, BNB Chain, and Taiko networks.

By exploiting a vulnerability in KiloEx’s oracle access controls, the attacker used flash loans to feed false asset prices into the platform. This manipulation enabled them to open highly leveraged positions at absurdly undervalued prices—such as ETH appearing worth just $100—making it seem like they were generating massive profits. The proceeds were quickly withdrawn before any safeguards could kick in.

In a single transaction, the attacker reportedly walked away with $3.12 million. The damage spanned multiple chains, taking full advantage of KiloEx’s cross-chain architecture.

KiloEx has since suspended trading and is actively working with partners to track down the attacker and blacklist the compromised wallet. The platform has also extended a 10% bounty offer to the hacker if 90% of the funds are returned.

This breach highlights a recurring issue in DeFi: insecure oracles. Similar manipulation attacks have previously rocked protocols like Mango Markets and Cream Finance, with losses reaching as high as $130 million.

As investigations continue, KiloEx users remain in limbo—another stark reminder of the risks that still plague decentralized finance.