Original | Odaily Planet Daily ( @OdailyChina )
Author | Asher ( @Asher_0210 )
This morning, the address of KiloEx, an on-chain contract platform invested by YZi Labs, was stolen, with a loss of more than 7 million US dollars, involving multiple on-chain assets such as BNB Chain and Base. According to on-chain data, affected by this theft, its project token KILO fell 22.8% in 24 hours and is now reported at 0.038 US dollars. At present, according to official data , the current open contract value of the KiloEx platform has dropped to 6 million US dollars. In addition, according to DefiLlama data, KiloEx TVL is still 34 million US dollars.
Next, Odaily Planet Daily will sort out the reasons, team responses, and community opinions for the KiloEx address theft.
KiloEx Project Introduction
KiloEx is a decentralized exchange that focuses on perpetual contract trading and aims to provide users with a friendly trading experience. KiloEx supports multiple blockchains, including BNB Chain, opBNB, Manta, Taiko, and Base. KiloEx uses the rate basis to anchor the perpetual contract price to the spot price to ensure the stability and reliability of the transaction. The advantages of users trading on the KiloEx platform are:
No native Gas token required: Supports USDT/USDC to pay for Gas fees, without the need for additional cross-chain exchange;
Signature-free transactions, convenient operation: no need for cumbersome signatures, the transaction process is smoother;
Efficient execution, close to CEX experience: optimize transaction speed and improve user interaction efficiency.
In August 2023, YZi Labs announced investments in four outstanding MVB VI projects, including the perpetual contract DEX KiloEx (the other three are: Ethereum expansion project AltLayer, DeFi lending protocol Kinza and AI game Sleepless AI), and KiloEx is also a project member of the BNB Chain airdrop alliance program.
On March 27 this year, Binance Wallet and PancakeSwap cooperated to launch the exclusive TGE of KiloEx (KILO), which was oversubscribed by nearly 300 times. In addition, on the day of TGE, Binance Alpha announced the launch of KiloEx (KILO).
The root cause of the KiloEx theft was the access control vulnerability of the price oracle
According to on-chain data monitoring, the decentralized perpetual contract protocol KiloEx was attacked by hackers, resulting in a total asset loss of approximately US$7.4 million, distributed on the Base chain (approximately US$3.3 million), opBNB chain (approximately US$3.1 million) and BNB Smart Chain (approximately US$1 million).
The root cause of the attack is a serious loophole in the access control of the price oracle in the protocol . In laymans terms, the oracle should be updated by a trusted role, but due to the lack of necessary permission restrictions, the attacker was able to bypass the verification mechanism and arbitrarily tamper with the asset price, thereby manipulating the contract logic.
Analysis of stolen KiloEx addresses
According to the preliminary analysis of blockchain security agency PeckShield, the process of one of the transactions that exploited the vulnerability was disclosed in detail. The attacker first created a new position at an abnormally low price of ETHUSD (such as $100), and then artificially tampered with the ETH/USD price to an artificially high $10,000, and immediately closed the position with almost no actual market fluctuations, thereby achieving huge arbitrage, earning up to $3.12 million in revenue from this transaction alone.
Currently, the hacker address ( 0x00fac92881556a90fdb19eae9f23640b95b4bcbd ) continues to transfer funds through zkBridge, and there is still $5.4 million in funds in the address that have not been transferred.
KiloEx official response to the theft: KiloEx Vault was attacked
The KiloEx team has made an official response to this major security incident as soon as possible. According to the announcement, the target of this attack was KiloEx Vault, the core asset module of KiloEx. The hacker used technical means to invade the module and successfully stole a large amount of funds on the platform.
The official emphasized that after the incident, the team has quickly taken emergency measures and urged all integrated and cooperating parties, trading platforms and third-party service providers to immediately blacklist the hacker addresses involved in the case to prevent the stolen assets from further flowing or being laundered. In order to encourage community forces to assist in investigations and tracking funds, KiloEx announced that it will launch a vulnerability bounty program to reward individuals and organizations that can provide effective security vulnerability information or assist in recovering assets.
In addition, KiloEx officials said that the attack has been brought under control, the platform functions have been suspended , and KiloEx is working closely with a number of professional security agencies to track the flow of funds and analyze the attackers technical path. The team is currently analyzing the specific methods of this attack and the affected assets, and a complete incident report is expected to be released to the community in the next few days.
The failure to provide a specific compensation plan has caused dissatisfaction in the community
Although the KiloEx team responded quickly after the incident and took a series of measures including suspending the platform, tracking funds, and intervening with security agencies, the key issue that the community is most concerned about, how to compensate users for their losses, was not mentioned in the announcement, which disappointed users. Especially in the face of a theft of up to $7.4 million, users are eager to know whether the platform will bear responsibility and whether there is a compensation mechanism, but relevant content is always absent.
This lack of response quickly triggered a lot of doubts in the community . The social media comment area of KiloEx was filled with fierce comments such as embezzlement, already absconded, self-directed and self-acted, and some users even said the current circulating market value is only 8 million US dollars, and 7.4 million US dollars were stolen. How are you going to compensate?
At present, the KiloEx team has not made a public statement on the issue of compensation, which may trigger a wider range of user rights protection and asset withdrawal storms. Odaily Planet Daily will also follow up on the report.
