Original | Odaily (@OdailyChina)
Author | Asher (@Asher_0210)
This morning, the address of KiloEx, a chain contract platform invested by YZi Labs, was stolen, with losses exceeding $7 million, involving assets from multiple chains including BNB Chain and Base. According to on-chain data, affected by this theft, the project token KILO dropped 22.8% in 24 hours, currently trading at $0.038. Currently, according to official data, the value of uncleared contracts on the KiloEx platform has dropped to $6 million, and according to defillama data, KiloEx's TVL remains at $34 million.
Next, Odaily will provide an overview of the reasons behind the KiloEx address theft, the team's response, and community perspectives.
KiloEx Project Overview
KiloEx is a decentralized exchange focusing on perpetual contract trading, aiming to provide users with a friendly trading experience. KiloEx supports multiple blockchains, including BNB Chain, opBNB, Manta, Taiko, and Base. KiloEx uses rate differentials to anchor perpetual contract prices with spot prices, ensuring trading stability and reliability. The advantages of trading on KiloEx include:
No native gas tokens required: Supports paying gas fees with USDT/USDC, eliminating the need for additional cross-chain exchanges;
Signless trading, convenient operation: No complex signatures, making the trading process smoother;
Efficient execution, close to CEX experience: Optimized trading speed, improving user interaction efficiency.
In August 2023, YZi Labs announced investments in four outstanding MVB VI projects, including the perpetual contract DEX KiloEx (the other three being Ethereum scaling project AltLayer, DeFi lending protocol Kinza, and AI game Sleepless AI), and KiloEx is also a member of the BNB Chain airdrop alliance program.
On March 27th this year, Binance Wallet and PancakeSwap launched an exclusive TGE for KiloEx (KILO), oversubscribed nearly 300 times, and Binance Alpha also announced the listing of KiloEx (KILO) on the same day.
The Root Cause of KiloEx Theft is an Access Control Vulnerability in the Price Oracle
According to on-chain data monitoring, the decentralized perpetual contract protocol KiloEx was hacked, causing total asset losses of approximately $7.4 million, distributed across Base chain (about $3.3 million), opBNB chain (about $3.1 million), and BNB Smart Chain (about $1 million).
The fundamental cause of this attack is a serious access control vulnerability in the protocol's price oracle. In simple terms, the oracle should have price information updated by trusted roles, but due to the lack of necessary permission restrictions, attackers were able to bypass the verification mechanism, arbitrarily modify asset prices, and manipulate contract logic.
KiloEx Stolen Address Analysis
According to preliminary analysis by blockchain security firm PeckShield, one of the transactions exploiting this vulnerability was detailed. The attacker first created a new position with an abnormally low ETHUSD price (such as $100), then artificially manipulated the ETH/USD price to an inflated $10,000, immediately closing the position without actual market fluctuations, thus achieving massive arbitrage, with this single transaction generating profits of up to $3.12 million.
Currently, the hacker address (0x00fac92881556a90fdb19eae9f23640b95b4bcbd) continues to transfer funds through zkBridge, with $5.4 million in funds yet to be moved.
KiloEx Official Response: KiloEx Vault Attacked
In response to this major security incident, the KiloEx team has made an official statement. According to the announcement, the attack targeted KiloEx's core asset module - KiloEx Vault, with hackers successfully infiltrating the module and stealing large amounts of platform funds.
The official statement emphasized that after the incident, the team quickly took emergency measures, urging all integrated and collaborative protocols, trading platforms, and third-party service providers to immediately blacklist the hacker address to prevent further flow or laundering of stolen assets. To encourage community assistance in investigation and tracking, KiloEx announced a bug bounty program, rewarding individuals and organizations that provide effective security vulnerability information or help recover assets.
Additionally, KiloEx officially stated that the attack is currently under control, and platform functions have been suspended. KiloEx is closely collaborating with multiple professional security agencies to track fund flows and analyze the attacker's technical path. The team is currently analyzing the specific methods of this attack and the affected assets, with a complete event report expected to be published to the community in the coming days.
Lack of Specific Compensation Plan Sparks Community Dissatisfaction
Despite the KiloEx team's swift response and measures such as platform suspension, fund tracking, and collaboration with security agencies, the key issue of "how to compensate user losses" was not mentioned in the announcement, disappointing users. Especially facing the stolen amount of $7.4 million, users urgently want to know if the platform will take responsibility and if a compensation mechanism exists, but such content remains absent.
This omission quickly sparked numerous questions in the community. KiloEx's social media comment sections are filled with intense remarks like "insider theft", "already run away", "self-staged", with some users stating "the current market cap is only $8 million, and $7.4 million has been stolen, how will you compensate?"
Currently, the KiloEx team has not made a public statement regarding compensation, which may trigger a larger user rights protection and asset withdrawal wave. Odaily will continue to track and report on this development.