KiloEx Loses $7.5 Million to Price Oracle Manipulation Exploit → Security

A translucent, frosted rectangular module displays two prominent metallic circular buttons, set against a dynamic backdrop of flowing blue and reflective silver elements. This sophisticated interface represents a critical component in secure digital asset management, likely a hardware wallet designed for cold storage of private keys

The image displays a sophisticated device crafted from brushed metal and transparent materials, showcasing intricate internal components illuminated by a vibrant blue glow. This advanced hardware represents a critical component in the digital asset ecosystem, functioning as a secure cryptographic module

Briefing

KiloEx, a decentralized exchange, suffered a sophisticated price oracle manipulation attack, resulting in the loss of approximately $7.5 million across its Base, opBNB, and BNB Smart Chain deployments. The exploit leveraged a critical vulnerability in the protocol’s MinimalForwarder contract, allowing an attacker to forge signatures and directly manipulate the KiloPriceFeed oracle. This incident underscores the systemic risk posed by inadequate access control mechanisms within complex DeFi architectures.

A white, glossy sphere with silver metallic accents is encircled by a smooth white ring, set against a dark grey background. Dynamic, translucent blue fluid-like structures surround and interact with the central sphere and ring, suggesting energetic movement

Context

Prior to this incident, the DeFi ecosystem had seen a rise in price oracle manipulation attacks, often enabled by insufficient validation logic or centralized price feeds. Many protocols, including KiloEx, relied on multi-contract call chains for critical functions, creating an expanded attack surface where a single unchecked permission could compromise the entire system. The prevailing risk factors included unaudited or inadequately audited forwarder contracts and a lack of granular access control.

A central, transparent sphere encases a white orb marked with precise, symmetrical lines, evoking a sense of contained digital essence or a core cryptographic key. This sphere is nestled within an elaborate, layered digital framework of deep blue hues, illuminated by vibrant, pulsating blue lights that trace complex pathways, indicative of active data flow and network processing

Analysis

The attack vector exploited a missing access control check within KiloEx’s MinimalForwarder contract. This contract, part of a chained series (MinimalForwarder → PositionKeeper → Keeper → KiloPriceFeed) designed to update the price oracle, allowed arbitrary addresses to execute calls by submitting forged signatures without verifying the legitimacy of the call path. The attacker crafted a fake signature, impersonated an authorized address, and directly invoked the setPrices() function on the KiloPriceFeed oracle. This enabled the attacker to artificially depress asset prices, open leveraged long positions, then rapidly inflate prices to close positions for risk-free profit, systematically draining liquidity pools across multiple chains.

A sophisticated metallic cubic device, featuring a top control dial and various blue connectors, forms the central component of this intricate system. Translucent, bubble-filled conduits loop around the device, secured by black wires, all set against a dark background

Parameters

Protocol Targeted → KiloEx
Attack Vector → Price Oracle Manipulation (via forged signature and missing access control)
Financial Impact → $7.5 Million
Blockchain(s) Affected → Base, opBNB, BNB Smart Chain
Vulnerability → Missing Access Control in MinimalForwarder contract
Date of Incident → April 14-16, 2025

A polished metallic rod, angled across the frame, acts as a foundational element, conceptually representing a high-throughput blockchain network conduit. Adorned centrally is a complex, star-shaped component, featuring alternating reflective blue and textured white segments

Outlook

Immediate mitigation for similar protocols involves a comprehensive audit of all chained contract interactions, with a specific focus on robust access control and signature validation mechanisms within forwarder contracts. This incident will likely drive a re-evaluation of oracle security, emphasizing multi-source validation and decentralized oracle solutions to prevent single points of failure. The broader implication is a heightened standard for modular smart contract security, necessitating explicit permission checks at every step of a call chain.

A spherical, geometrically segmented object, featuring reflective silver and deep blue panels, is partially enveloped by a light blue, porous, foam-like texture. Multiple circular apertures are visible on the metallic segments, suggesting functional components within its design

Verdict

The KiloEx exploit serves as a critical reminder that fundamental access control vulnerabilities, even in seemingly minor components, can lead to catastrophic financial losses across complex DeFi architectures.

Signal Acquired from → OneKey