Decentralized exchange (DEX) KiloEX has suspended operations following a $7.5 million attack, which cybersecurity researchers attributed to a “price oracle exploit.”

KiloEX launched in 2023, built on BNB Chain, opBNB, and Manta Network, and has received seed funding from Binance Labs, which invests in the Binance Coin (BNB) ecosystem.

In a tweet, the DEX reassured users that the exploit has now been contained. KiloEX said it is “working with security partners to trace the flow of funds” and that it is set to launch a bounty program to investigate the exploit.

The exchange said it is preparing a report on the incident to be shared in the coming days. KiloEX wasn’t able to provide any information as to the nature of the exploit, but identified the attacker’s wallet address as: 0x00fac92881556a90fdb19eae9f23640b95b4bcbd. It urged users to block the address to mitigate further damage.

At the time of writing, KiloEX hasn’t provided a timeline for when it plans to resume operations.

KiloEX has offered the hackers the chance to return 90% of the stolen crypto in exchange for “closing the case without further action.” Should the hackers fail to take the exchange up on its offer, it threatened legal action as well as exposing the identity of the perpetrators to "relevant authorities."

What is a price oracle exploit?

According to cybersecurity firm PeckShield the exploit likely involved an issue with the DEX’s “price oracle.”

In crypto, “price oracles” are services that provide external data to smart contracts—such as the price of assets like Bitcoin (BTC), Ethereum (ETH) or U.S. dollars—effectively acting as a bridge between real-world data and the exchange’s blockchain.

If a price oracle malfunctions or can be manipulated by outside actors, directly or indirectly, it allows hackers to steal money.

PeckShield believes the hackers used this price oracle exploit to create positions where Ethereum was initially priced at $100, before closing the position at an extremely inflated price of $10,000, citing transaction history data.

The firm believes the exploit led to $3.3 million in Base blockchain tokens, $3.1 million in opBNB tokens, and $1 million in Binance Smart Chain tokens being lost from the DEX.

Price oracle exploits have been a scourge on the DeFi world for many years, featuring in many high-profile attacks. Researchers believe that Mango Markets, a Solana-based DEX, lost $114 million in October 2022 after hackers managed to trick its oracle, which relied on a single source for its price data.

We’ve also seen price oracle related-exploits lead to Venus Protocol losing $100 million in May 2022. 

Web 3 security firm Cyvers believes that the attacker’s wallet was funded via Tornado Cash, a decentralized cryptocurrency mixer popular with crypto criminals.