Kiloex, a decentralized exchange (DEX) for trade in perpetual futures, was hit by a sophisticated attack earlier Tuesday, leaving users who were rolled at a loss of about $ 7 million.
The utilization unfolded over several blockchain networks and seemed to come from a vulnerability in the platform’s price oracle system per day. Blockchain analysis company Cyvers.
An striker who uses a wallet funded through Tornado Cash – a tool that hides transaction paths – performed a series of transactions on the base, the BNB chain and Taiko networks to take advantage of an error in the platform’s price oracle system that enabled the striker to manipulate the asset prices.
Kiloex has since confirmed the violation, suspended platform operations and is now working with partners to track the stolen funds and blacklist striker’s wallet.
Oracles are blockchain-based tools that forward any type of external data to a blockchain where smart contracts use this data to make decisions for a financial application. That is, Oracle tells the platform whether Ether (ETH) is worth $ 2,000 or $ 3,000, which ensures trades at fair market prices.
But oracles can be a weak joint. In Kiloex’s case, the striker utilized a price Oracle Access Control vulnerability – essentially a mistake that let them manipulate data by using flash loans (or temporary liquidity) that tricked the system into believing in false prices.
The striker manipulated Oracle to report an absurdly low price for ETH (eg $ 100) when he opened a geared trade position. Liverage allows traders to borrow funds to strengthen their efforts so that a false price can create massive distortions.
This made it look like they had made a huge profit, which they then withdrew from Kiloex’s Vault. The striker repeated this across the base, the BNB chain and Taiko, where he utilized Kiloex’s cross-cutting chain setup to maximize winnings before the platform could respond.
In a reported transaction, the striker equalized $ 3.12 million in a single step.
This is not the first time a defi platform is affected by Oracle manipulation. Similar attacks have targeted platforms such as Mango Markets in 2022, with $ 100 million being stolen, and Cream Finance in 2021 at a loss of $ 130 million.
