Author: ChandlerZ, Foresight News

On April 15, perpetual contract DEX KiloEx announced that its vault had been attacked and that the situation was under control. KiloEx platform features have been suspended, and the team is working with security partners to track the flow of funds and plans to launch a reward program. KiloEx is analyzing attack paths and affected assets, while working with ecological partners to try to recover funds. The complete report will be released in the near future.

On-chain data shows that KiloEx addresses were stolen and lost about $7.4 million, of which $3.3 million was on the Base network, $3.1 million on the opBNB network, and $1 million on the BNB Chain.

According to the market, KILO fell by more than 33% in 24 hours, with the lowest price hitting 0.033 USDT, and is now at 0.0346 USDT.

According to Cyvers Alerts monitoring, the root cause of this hack may be the access control vulnerability of the price oracle.

Simply put, the oracle should have updated the price information by a trusted role, but due to the lack of necessary permission restrictions, the attacker was able to bypass the verification mechanism and arbitrarily tamper with the asset price, thereby manipulating the contract logic.

Paidun's preliminary analysis of one of the attack transactions shows that this is a price oracle problem. The attacker took advantage of the vulnerability and set the initial price of ETHUSD to 100 when opening the position, and then immediately closed the position at an inflated ETHUSD price of 10,000, making a profit of about $3.12 million in this transaction alone.

KiloEx 是什么？

KiloEx is a decentralized and sustainable DEX focusing on risk management, fund efficiency optimization and ecological integration of LST tokens. KiloEx participated in BNB Chain's recent airdrop alliance campaign, as well as the Renew Paradigm campaign on Manta Pacific, to earn stablecoin revenue by staking STONE. In addition, KiloEx plans to launch hybrid vault and hybrid margin trading capabilities.

KiloEX itself is a Perp DEX based on oracle pricing similar to GMX. Its core innovation is:

• Stablecoin neutral with hedging LP

• Copy Trading

• Token economy draws on today's advanced mechanisms

In terms of financing, KiloEx received investment from Binance Labs and was incubated in its MVB quarter six. In addition, it has also received investments from Foresight Ventures, Crescendo Ventures, Manta Network, 7UP DAO, Poolz Finance, GTS Ventures and some angel investors.

KiloEx completed exclusive TGE on Binance Wallet on March 27, attracting more than 70,000 users to participate in new subscriptions, with a subscription amount of 300 times exceeded the subscription.

According to its official website data, the total trading volume of KiloEx is US$3.764 billion, and the current TVL is US$33.84 million. According to DefiLlama data, KiloEx's average daily trading volume is about US$100 million and the 7-day trading volume is about US$500 million.

The crisis of trust exposed by safety accidents and community doubts

Although the project party suspended the platform's functions as soon as possible and cooperated with security agencies to track the flow of funds, the actual losses of this attack were almost the same as its current market value of US$7.3 million, and its fully diluted valuation was only about US$34.49 million. A large amount of funds stolen in such a large amount of projects will undoubtedly have a heavy blow to user confidence. What is even more worrying is that as of now, the KiloEx team has not issued any detailed statements about user compensation mechanisms, compensation plans or team fund response plans, making the boundary between "hacker attacks" and "whether the project party is responsible" increasingly blurred.

On social platforms, a large number of community members expressed strong dissatisfaction, believing that KiloEx lacks a clear commitment to user interests at critical moments. Some users accused the project of "running away in the bear market", "high-profile fundraising and low-key aftermath", etc. on social platforms, and were concerned about platform governance and financial transparency. The rapid change in market sentiment has also led to a sharp decline of more than 30% in the short term.

Although the KiloEx accident is still in the early stage of incident handling, it has revealed the core contradiction of the "sustainability test" of a new round of decentralized protocols: security is not a post-event response after the project is launched, but a responsibility setting in the early stages of the architecture. In particular, KiloEx was incubated by Binance Labs and participated in airdrop alliance activities. The trust between its core user base and platform is based on the perception of "official endorsement". If the project party cannot come up with a clear responsibility plan, regardless of whether the funds are recovered, the market's confidence in its "safety and controllable" will be fundamentally weakened, and may even affect its reputation as an ecological collaboration network.

Structural challenges due to frequent security incidents: not only the issue of KiloEx

At the same time, the recent frequent exposure of negative security-related events in the Web3 field has further exacerbated the industry's trust crisis. Shortly after KiloEx was hacked, Odin.fun co-founder Bob Bodily also tweeted yesterday that his account was suspected to have been hacked and the incident is still under processing. Previously, some users reported that their related account assets were cleared and suspected to have been stolen. The extension of hacker attacks from project contracts to founders' personal assets also shows that the current attackers are no longer limited to technical vulnerabilities, but instead launch systemic attacks through multi-dimensional permissions, social engineering and even operational vulnerabilities, which puts forward higher-level security governance requirements for the project party.

It is particularly worth noting that some small and medium-sized DEXs currently use on-chain oracles for pricing in their design, but there are still obvious shortcomings in access control, permission verification and abnormal behavior warning. From the perspective of the entire Web3 industry, problems such as no compensation mechanism, imbalance in authority allocation, and token governance power vacuum are gradually becoming red line indicators in the community's new generation investment evaluation logic. In the past, the market often paid more attention to product design and token return models, but with the frequent occurrence of security incidents and tightening of regulatory standards, whether the project can establish a full-chain mechanism of "pre-protection + in-process freezing + post-process compensation" will become the core variable for whether users and capital will continue to support it.