KiloEx Loses $7.5 Million to Price Oracle Manipulation Exploit ∞ Security

A spherical, geometrically segmented object, featuring reflective silver and deep blue panels, is partially enveloped by a light blue, porous, foam-like texture. Multiple circular apertures are visible on the metallic segments, suggesting functional components within its design

The foreground features a cluster of irregularly faceted, translucent blue and clear crystal-like structures, interconnected by numerous dark strands. Smooth, white, urn-shaped objects with intricate internal mechanisms are positioned around this core, also linked by thin rods

Briefing

KiloEx, a decentralized exchange, suffered a sophisticated price oracle manipulation attack, resulting in the loss of approximately $7.5 million across its Base, opBNB, and BNB Smart Chain deployments. The exploit leveraged a critical vulnerability in the protocol’s MinimalForwarder contract, allowing an attacker to forge signatures and directly manipulate the KiloPriceFeed oracle. This incident underscores the systemic risk posed by inadequate access control mechanisms within complex DeFi architectures.

The image features several sophisticated metallic and black technological components partially submerged in a translucent, effervescent blue liquid. These elements include a camera-like device, a rectangular module with internal blue illumination, and a circular metallic disc, all rendered with intricate detail

Context

Prior to this incident, the DeFi ecosystem had seen a rise in price oracle manipulation attacks, often enabled by insufficient validation logic or centralized price feeds. Many protocols, including KiloEx, relied on multi-contract call chains for critical functions, creating an expanded attack surface where a single unchecked permission could compromise the entire system. The prevailing risk factors included unaudited or inadequately audited forwarder contracts and a lack of granular access control.

A spherical object, deep blue with swirling white patterns, is partially encased by a metallic silver, cage-like structure. This protective framework features both broad, smooth bands and intricate, perforated sections with rectangular openings

Analysis

The attack vector exploited a missing access control check within KiloEx’s MinimalForwarder contract. This contract, part of a chained series (MinimalForwarder → PositionKeeper → Keeper → KiloPriceFeed) designed to update the price oracle, allowed arbitrary addresses to execute calls by submitting forged signatures without verifying the legitimacy of the call path. The attacker crafted a fake signature, impersonated an authorized address, and directly invoked the setPrices() function on the KiloPriceFeed oracle. This enabled the attacker to artificially depress asset prices, open leveraged long positions, then rapidly inflate prices to close positions for risk-free profit, systematically draining liquidity pools across multiple chains.

A close-up view reveals a sleek, translucent device featuring a prominent metallic button and a subtle blue internal glow. The material appears to be a frosted polymer, with smooth, ergonomic contours

Parameters

Protocol Targeted ∞ KiloEx
Attack Vector ∞ Price Oracle Manipulation (via forged signature and missing access control)
Financial Impact ∞ $7.5 Million
Blockchain(s) Affected ∞ Base, opBNB, BNB Smart Chain
Vulnerability ∞ Missing Access Control in MinimalForwarder contract
Date of Incident ∞ April 14-16, 2025

The image displays a gleaming, multi-element lens system, possibly representing a secure access point, aligned with a vibrant, spherical structure composed of intricate, interlocking blue and black digital blocks. This sphere evokes the complex architecture of a blockchain network, where each block contains hashed transaction data

Outlook

Immediate mitigation for similar protocols involves a comprehensive audit of all chained contract interactions, with a specific focus on robust access control and signature validation mechanisms within forwarder contracts. This incident will likely drive a re-evaluation of oracle security, emphasizing multi-source validation and decentralized oracle solutions to prevent single points of failure. The broader implication is a heightened standard for modular smart contract security, necessitating explicit permission checks at every step of a call chain.

The image presents an abstract arrangement of shiny blue geometric clusters and smooth white spheres, intricately linked by thin black lines against a soft grey background. The central region features a denser concentration of smaller, highly reflective blue elements, creating a sense of dynamic movement and complex interconnectedness

Verdict

The KiloEx exploit serves as a critical reminder that fundamental access control vulnerabilities, even in seemingly minor components, can lead to catastrophic financial losses across complex DeFi architectures.

Signal Acquired from ∞ OneKey