- Hacker exploited weak oracle controls across Base, BNB, and Taiko chains to drain $7 million.
- Flash loans and fake ETH prices allowed attackers to withdraw manipulated gains from KiloEx vaults.
- KiloEx joins the growing list of DeFi hacks as 2025 crypto thefts surpass $1.6 billion already.
Decentralized exchange KiloEx, known for supporting perpetual futures trading, suffered a $7 million loss following a sophisticated exploit on April 14. The attack targeted KiloEx’s oracle system and affected multiple blockchain networks, including Base, BNB Chain, and Taiko.
According to blockchain security firm Cyvers, the attacker manipulated asset prices using a vulnerability in KiloEx’s oracle design. The wallet in which the exploit was executed is one frequently used with Tornado Cash, a tool to hide the origin of funds. Consequently, the attacker was able to alter the price feed, opening large leveraged positions on the false asset value, then withdraw just before the error was corrected.
Oracle Manipulation and Flash Loan Abuse
The Oracle system had weak access controls that allowed the attacker access to administer pricing data. By utilizing flash loans they could temporarily access large sums of liquidity, where they would then simulate fake market prices.
The attacker reportedly initially set extremely low values for key assets such as Ethereum (ETH) and drove highly profitable appearing trades under manipulated conditions. Upon registering these artificial gains on the platform, the attacker would withdraw funds and do the same on different chains. A $3.12 million gain was made in one transaction.
DeFi systems rely on Oracles to bring in external, accurate data in smart contracts as asset prices. But if mismanaged, they serve as an entrance for manipulation. KiloEx has since suspended operations and is working with partners to trace the attacker and blacklist the wallet address.
Industry Sees Repeat Oracle Exploits
KiloEx’s case is the latest in a growing list of oracle-based exploits in decentralized finance. Also in 2022, Mango Markets lost $100 million using a similar method. In 2021, Cream Finance experienced an exploit in the amount of $130 million.
As detailed in a related report, the hacker behind the $5.4 million zkLend exploit was later tricked by a phishing scam. While trying to launder the funds through a fake Tornado Cash site, the attacker lost the entire amount. This is an event that even attackers are susceptible to, given the ‘vulnerability’ in the same ecosystem exploited.
Rising Crypto Losses in Early 2025
Moreover, the crypto sector has faced a hard time in the first quarter of 2025. Previously, we explored that losses in Q1 reached $1.63 billion, showing a 131% rise compared to the $706 million stolen in Q1 of 2024. These losses also include social engineering attacks as well as technical exploits. KiloEx’s multi-chain setup may have made it more vulnerable to rapid and repeated attacks, as it took time for the team to react across different networks. Further investigations are ongoing with doubtful recovery of funds.
