KiloEx Hacked for $7 Million, Can the $7M Circulating Supply Cover User Losses?

Early on April 15, the on-chain perpetual platform KiloEx, previously invested in by YZi Labs, issued an announcement on its official X account, stating that its protocol's treasury, KiloEx Vault, had experienced a hack, and the exploit had currently been contained.

Impacted by the theft incident, the KiloEX token KILO had already begun a sharp decline in price before the official announcement. As of the time of writing, KILO had dropped from around $0.05 early in the morning to $0.035, a decrease of over 30% in 6 hours. According to DefiLlama data, funds within KiloEx also rapidly declined and fled during the exploit event, with the protocol's cross-chain TVL dropping to less than $31 million at the time of writing.

In response to the attack event, KiloEx's official statement indicated an immediate suspension of the platform and collaboration with security partners to trace fund movements. The team will be issuing a bounty program and working with ecosystem partners to track and potentially recover the funds. Additionally, KiloEx mentioned that they will soon release a comprehensive incident report to share with the community.

Theft Reason: Price Oracle Vulnerability

According to Block Beats' monitoring, the perpetual contract DEX KiloEx suffered an attack today, resulting in a loss of approximately $7.5 million (with $3.3 million on the Base network, $3.1 million on the opBNB network, and $1 million on the BNB Chain).

Through initial analysis of one of the attack transactions, Block Beats believes this to be a price oracle issue. The attacker exploited this vulnerability by setting the initial ETHUSD price to 100 at the opening and then immediately closing the position at an artificially high ETHUSD price of 10000, making a profit of around $3.12 million in just this one trade. According to Cyvers Alerts' tracking, the attacker continued to try to exploit KiloEx's oracle system even after making a significant profit in a single high-value trade.

Cyvers Alerts states that the attacker's acquired USDC may face freezing and calls on Tether to proactively freeze the attacker's obtained USDT assets. Currently, the attacker has cross-chain transferred the funds to the address 0x00FAC92881556A90FDB19EE9F23640B95B4BCBD through Across.

Rising abruptly only to crash, Team's Solvency Questioned

KiloEx is a decentralized perpetual contract platform that supports BNB Chain, opBNB, Base, and multiple MEV ecosystem L1 and L2. In August 2023, YZi Labs announced investments in four outstanding projects under the MVB VI program, including KiloEx, with KiloEx also being a member of the BNB Chain Airdrop Alliance initiative.

As YZi Labs' "godchild," KiloEx had been experiencing smooth development until recently. On March 27, Binance Wallet partnered with PancakeSwap to hold an exclusive token generation event for KiloEx. Currently, the BNB investment has been open for 62 minutes, with 58 minutes remaining until the end, having exceeded funding by 281 times, raising over 340,000 BNB.

On April 13, KiloEx announced a strategic partnership with Web3 investment firm and liquidity provider DWF Labs. The two parties will deeply collaborate on KiloEx's market expansion, ecosystem growth, and user empowerment, further advancing KiloEx's positioning in the decentralized trading sector.

KiloEx stated that it will soon launch more integrated collaborations with DWF Labs on the BNB Chain to further drive platform functionality and ecosystem synergy. According to Binance Alpha Markets, KiloEx's token KILO rose by 45% on the day of the announcement, reaching a high of $0.058.

However, just two days after the project gained momentum, KiloEx suffered a loss of over $7 million due to an oracle vulnerability. Currently, according to Coingecko, KiloEx's project's circulating market value has plummeted to around $7.36 million, close to the stolen funds' amount, while its total market value is approximately $34 million. Due to the large percentage of the stolen amount compared to the project's market value, many community members have expressed concerns about the team's solvency.

Of course, in this recent hacking incident, the attacker did not directly steal the KILO tokens, and the market value of the project's token cannot directly reflect the project's own fund reserve and Runway. Currently, the team has not yet disclosed the handling of fund reimbursement, and BlockBeats will continue to track and report on this.