KiloEx DEX Loses $7.5M in April 15 Hack: Price Oracle Vulnerability Exploited

The Decentralized perpetual futures exchange (DEX) KiloEx has fallen victim to a significant security breach. On April 15, blockchain security firm PeckShield reported that KiloEx suffered a hack resulting in losses of $7.5 million. The attack impacted multiple blockchains, with $3.3 million stolen on the Base chain, $3.1 million on opBNB, and $1 million on BNB Chain (BSC). In response, KiloEx has suspended platform operations, and its security team is actively tracking the cross-chain transfer of the stolen funds.

PeckShield's preliminary analysis revealed that the attacker exploited a vulnerability in KiloEx's price oracle. Specifically, the hacker manipulated the oracle to inflate the ETH/USD price from $100 to $10,000, enabling them to profit by opening and closing positions within a short timeframe. Security reports indicate that the attacker netted a profit of $3.12 million in a single transaction. Further insights from another Blockchain security firm SlowMist highlighted that the root cause of the vulnerability lies in a critical flaw in the price oracle's access control mechanism, which lacked proper permission validation, allowing unauthorized entities to tamper with price data and manipulate contract logic.

Following the attack, KiloEx promptly halted all platform operations to prevent further losses. According to PeckShield, the stolen funds are being transferred across chains via bridges such as zkBridge and Meson, with the security team working diligently to trace their movements. However, the incident has taken a heavy toll on KiloEx's native token, $KILO, which plummeted 28.7% in value following the attack. As of this writing, $KILO is trading at approximately $0.03822.

KiloEx, an on-chain perpetual futures platform backed by YZi Labs, gained attention earlier this year. In March 2025, $KILO was featured in an exclusive Token Generation Event (TGE) co-hosted by Binance Wallet and PancakeSwap, achieving an oversubscription rate of nearly 300x. On the same day, $KILO was listed on Binance Alpha.

In response to the security incident, KiloEx issued an official statement, confirming that the attack targeted its core asset module, the KiloEx Vault. The hacker gained access to this module through technical means, successfully siphoning off a substantial amount of funds from the platform. The attack has since been contained, and platform functionalities have been suspended. To encourage community assistance in the investigation and fund recovery, KiloEx announced the launch of a bug bounty program, offering rewards to individuals or organizations that provide actionable information on security vulnerabilities or assist in recovering the stolen assets.

In its latest update, KiloEx announced that they have obtained critical information about the hacker's activities. The exchange has been monitoring the hacker's addresses and is prepared to freeze the stolen funds immediately. KiloEx is offering the hacker a 72-hour window to return 90% of the stolen funds to the following address, with the remaining 10% to be retained as a white-hat bounty for cooperation. KiloEx warns that failure to comply within the specified timeframe will result in an escalation of the investigation, including the disclosure of the hacker's identity and the pursuit of legal action.

However, KiloEx's announcement failed to address a critical concern for the community: how user losses will be compensated. With $KILO's circulating market cap standing at just $8.16 million—compared to the $7.5 million in losses—the community has raised concerns about the team's ability to cover the damages. KiloEx may need to secure external funding or activate an insurance mechanism to reimburse affected users, or risk facing a severe trust crisis. As of this writing, the KiloEx team has not released a detailed compensation plan or specifics on the vulnerability fix, potentially triggering broader user backlash and asset withdrawals.