Last updated:
Journalist
Hassan Shittu
Journalist
Hassan Shittu
Share
Why Trust Cryptonews
Today, KiloEx, a decentralized exchange specializing in perpetual futures trading, publicly addressed the hacker responsible for a $7.5 million exploit.
In a post shared on X, the KiloEx team delivered a stern ultimatum to the attacker to return 90% of the stolen assets and walk away with a 10% white hat bounty or face relentless legal pursuit backed by law enforcement, cybersecurity firms and exchanges.
KiloEx disclosed that the identities and blockchain addresses linked to the attacker had already been identified and were under constant surveillance.
Among the exposed wallets are 0x551f3110f12c763d1611d5a63b5f015d1c1a954c, 0x00fac92881556a90fdb19eae9f23640b95b4bcbd, and 0xd43b395efad4877e94e06b980f4ed05367484bf3.
The team warned that these wallets could be frozen at any moment with the help of its partner networks.
To incentivize the attacker to cooperate, KiloEx offered a bounty of 10% of the stolen funds, amounting to $750,000, if 90% is returned within 72 hours to wallets specified across opBNB, BNB Chain, Base, Ethereum, and Manta networks.
Should the hacker comply, the DEX pledged to acknowledge the resolution publicly and close the case without further consequences.
“The choice is yours. Act now to avoid irreversible consequences,” the statement concluded, giving the hacker the option to contact the team via on-chain messaging or email.
Otherwise, the matter would escalate into a full-scale criminal investigation.
A Calculated Oracle Exploit Hits KiloEx for $7.5M
The exploit occurred on April 14 and stemmed from a price Oracle manipulation vulnerability.
Blockchain security firms, including PeckShield and Cyvers, confirmed that the attacker used Tornado Cash to fund their wallet and then leveraged the exploit across multiple networks, Base, BNB Chain, and Taiko.
The attacker took advantage of a flaw in KiloEx’s Oracle system that allowed for the manipulation of external price feeds.
The attacker opened leveraged positions at dramatically skewed valuations by tampering with the asset price data reported to the protocol.
The attacker stole over $3.1 million in one reported transaction in a single move, causing a gross distortion of value that enabled the attacker to drain funds from KiloEx’s vault.
PeckShield estimated the damage to be roughly $3.3 million from Base, $3.1 million in opBNB, and $1 million in BSC tokens.
Once the exploit was discovered, KiloEx quickly suspended all trading activity and notified partner protocols to blacklist the identified addresses.
According to the team, this exploit has been contained, and a bounty program was promised shortly after.
KiloEx is working with multiple security partners to trace the flow of stolen funds and recover them where possible. A full incident report is expected to be released in the coming days.
KiloEx Joins Long List of Oracle Attack Victims
This isn’t the first time a decentralized finance (DeFi) platform has fallen victim to an oracle-based attack.
Blockchain oracles, which deliver real-world data to smart contracts, have historically been attractive vectors for exploiters due to their vulnerability.
The UwU Lend attack in June 2024 set a notable precedent, with $19.4 million drained in under six minutes through similar price manipulation tactics.
That exploit, too, involved wallets funded through Tornado Cash, which leveraged manipulated price feeds to extract massive sums before being detected.
The protocol’s founder, Michael Patryn, also known as 0xSifu, later offered the attacker a 20% bounty in exchange for returning the majority of the stolen funds.
KiloEx’s case looks similar, and as the deadline for the hacker ticks down, the team watches closely.
If the hacker accepts the deal, it could add to a growing trend of exploiters choosing amnesty over anonymity. But if they don’t, KiloEx seems ready to make an example of them, with all legal and forensic tools at its disposal.
