Decentralized exchange KiloEx has paused its operations and is actively working with partners to trace approximately $7 million in stolen funds following a sophisticated exploit.
The attack, which took place earlier on Tuesday, exploited a vulnerability in KiloEx’s price oracle system and spanned multiple blockchain networks, according to blockchain security firm Cyvers.
The attacker funded their wallet via Tornado Cash—a crypto mixing service known for obfuscating transaction trails—and launched a coordinated exploit across the Base, BNB Chain, and Taiko networks. By exploiting a flaw in the platform’s oracle system, the attacker was able to manipulate asset prices and execute a series of fraudulent leveraged trades.
In response, KiloEx confirmed the breach and suspended platform activities. The team is now collaborating with ecosystem partners to trace the stolen assets and blacklist the attacker’s wallet. As part of a recovery effort, the DEX has offered the hacker a 10% white hat bounty in exchange for returning 90% of the stolen funds.
Oracles, which are essential for feeding off-chain data to smart contracts on the blockchain, can become critical points of failure if not secured properly. In this case, the attacker leveraged a flash loan-based technique to manipulate KiloEx’s oracle into misreporting ETH prices—potentially spoofing the price as low as $100—to gain massive profits from falsely valued leveraged positions.
This price distortion tricked the system into believing the attacker had earned significant profits, which they then withdrew. The process was repeated across several chains, exploiting KiloEx’s cross-chain infrastructure. In one transaction alone, the attacker reportedly siphoned off $3.12 million.
Oracle manipulation attacks have previously targeted major DeFi platforms. Notable examples include Mango Markets in 2022, which lost $100 million, and Cream Finance in 2021, which suffered $130 million in losses.
