Decentralized Exchange KiloEx Recovers from $7 Million Hack
KiloEx,a decentralized perpetual exchange,faced a $7 million exploit due to a smart contract flaw.The issue stemmed from the TrustedForwarder contract, which didn’t properly override the “execute” method from OpenZeppelin’s MinimalForwarderUpgradeable. This oversight left the method permissionless,allowing the attacker to manipulate trading positions.
On April 13, the attacker withdrew 1 ETH from Tornado Cash to fund wallets across multiple chains. They exploited the open method to open and close positions at advantageous prices within an hour. Cyvers Alerts first detected the suspicious cross-chain activity on Base, Taiko, and BNB Chain.PeckShield confirmed losses on Base, opBNB, and BSC.
After negotiations, the hacker agreed to a 10% bounty and returned all stolen assets to KiloEx’s Safe multi-signature wallets. KiloEx fixed the vulnerability and assured users that no open positions would face liquidation. Rather, positions will be closed based on pre-attack price snapshots, and profits or losses during the exploit won’t affect final user balances.
The platform collaborated with law enforcement and SlowMist to investigate the incident. This highlights the importance of robust security measures in the crypto space.
