Security

KiloEx Loses $7.5 Million to Price Oracle Manipulation Exploit

A critical missing access control check in KiloEx's MinimalForwarder contract allowed attackers to manipulate price oracles, draining $7.5M.
September 20, 20253 min

A sleek, silver-framed device features a large, faceted blue crystal on one side and an exposed mechanical watch movement on the other, resting on a light grey surface. The crystal sits above a stack of coins, while the watch mechanism is integrated into a dark, recessed panel
The image displays a detailed view of a sophisticated, futuristic mechanism, predominantly featuring metallic silver components and translucent blue elements with intricate, bubbly textures. A prominent central lens and a smaller secondary lens are visible, alongside other circular structures and a slotted white panel on the left, suggesting advanced data capture and processing capabilities

Briefing

KiloEx, a decentralized exchange, suffered a sophisticated price oracle manipulation attack, resulting in the loss of approximately $7.5 million across its Base, opBNB, and BNB Smart Chain deployments. The exploit leveraged a critical vulnerability in the protocol’s MinimalForwarder contract, allowing an attacker to forge signatures and directly manipulate the KiloPriceFeed oracle. This incident underscores the systemic risk posed by inadequate access control mechanisms within complex DeFi architectures.

The image presents an abstract arrangement of shiny blue geometric clusters and smooth white spheres, intricately linked by thin black lines against a soft grey background. The central region features a denser concentration of smaller, highly reflective blue elements, creating a sense of dynamic movement and complex interconnectedness

Context

Prior to this incident, the DeFi ecosystem had seen a rise in price oracle manipulation attacks, often enabled by insufficient validation logic or centralized price feeds. Many protocols, including KiloEx, relied on multi-contract call chains for critical functions, creating an expanded attack surface where a single unchecked permission could compromise the entire system. The prevailing risk factors included unaudited or inadequately audited forwarder contracts and a lack of granular access control.

A detailed view presents a complex, cubic technological device featuring intricate blue and black components, surrounded by interconnected cables. The central element on top is a blue circular dial with a distinct logo, suggesting a high-level control or identification mechanism

Analysis

The attack vector exploited a missing access control check within KiloEx’s MinimalForwarder contract. This contract, part of a chained series (MinimalForwarder → PositionKeeper → Keeper → KiloPriceFeed) designed to update the price oracle, allowed arbitrary addresses to execute calls by submitting forged signatures without verifying the legitimacy of the call path. The attacker crafted a fake signature, impersonated an authorized address, and directly invoked the setPrices() function on the KiloPriceFeed oracle. This enabled the attacker to artificially depress asset prices, open leveraged long positions, then rapidly inflate prices to close positions for risk-free profit, systematically draining liquidity pools across multiple chains.

A spherical, geometrically segmented object, featuring reflective silver and deep blue panels, is partially enveloped by a light blue, porous, foam-like texture. Multiple circular apertures are visible on the metallic segments, suggesting functional components within its design

Parameters

  • Protocol Targeted → KiloEx
  • Attack Vector → Price Oracle Manipulation (via forged signature and missing access control)
  • Financial Impact → $7.5 Million
  • Blockchain(s) Affected → Base, opBNB, BNB Smart Chain
  • Vulnerability → Missing Access Control in MinimalForwarder contract
  • Date of Incident → April 14-16, 2025

The image showcases a metallic, lens-shaped core object centrally positioned, enveloped by an intricate, glowing white network of interconnected lines and dots. This mesh structure interacts with a fluid, crystalline blue substance that appears to emanate from or surround the core, all set against a gradient grey-blue background

Outlook

Immediate mitigation for similar protocols involves a comprehensive audit of all chained contract interactions, with a specific focus on robust access control and signature validation mechanisms within forwarder contracts. This incident will likely drive a re-evaluation of oracle security, emphasizing multi-source validation and decentralized oracle solutions to prevent single points of failure. The broader implication is a heightened standard for modular smart contract security, necessitating explicit permission checks at every step of a call chain.

The image displays a detailed view of a futuristic device, highlighting a circular port filled with illuminated blue crystalline elements and surrounded by white, frosty material. Modular white and dark grey components make up the device's exterior, suggesting complex internal mechanisms

Verdict

The KiloEx exploit serves as a critical reminder that fundamental access control vulnerabilities, even in seemingly minor components, can lead to catastrophic financial losses across complex DeFi architectures.

Signal Acquired from → OneKey

Micro Crypto News Feeds

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

forged signature

Definition ∞ A forged signature refers to the unauthorized and fraudulent reproduction or creation of a person's handwritten or digital signature.

bnb smart chain

Definition ∞ BNB Smart Chain is a blockchain network developed by Binance that supports smart contracts and decentralized applications.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

defi

Definition ∞ Decentralized Finance (DeFi) refers to an ecosystem of financial applications built on blockchain technology, aiming to recreate traditional financial services in an open, permissionless, and decentralized manner.

Tags:

Tags: