A sophisticated attacker leveraged Tornado Cash and an oracle vulnerability to drain millions from the decentralized futures DEX, leaving users stunned.
Decentralized futures platform KiloEx is the latest DeFi protocol to fall victim to a sophisticated multi-chain oracle manipulation attack — with losses totaling over $7 million.
On April 14, 2025, blockchain security firm Cyvers reported suspicious activity involving KiloEx, a decentralized exchange (DEX) for perpetual futures trading. What initially appeared as a flurry of abnormal transactions soon unraveled into a full-blown exploit spanning Base, BNB Chain, and Taiko networks.
🚨 The Anatomy of the Attack
The attacker’s method was both calculated and complex:
- They funded their wallet via Tornado Cash, an Ethereum-based privacy mixer known for obfuscating transaction trails.
- Using flash loans and a price oracle vulnerability, they tricked KiloEx’s smart contracts into accepting manipulated asset prices — a flaw often referred to as “oracle manipulation.”
- For instance, the oracle reported ETH at an artificially low price (e.g., $100). The attacker then opened high-leverage positions, tricking the system into thinking massive profits were made.
- These “profits” were immediately withdrawn before KiloEx could respond.
- The same method was replicated across all three networks, extracting as much value as possible.
📊 In one transaction alone, the attacker netted over $3.1 million.
🌐 Multi-Chain Vulnerability
KiloEx’s cross-chain infrastructure, which once positioned it as a cutting-edge trading platform, turned into a major liability. The attacker’s ability to move across Base, BNB Chain, and Taiko enabled them to outpace security protocols, maximizing damage before automated protections could kick in.
🔒 What Went Wrong?
At the core of the issue was a critical flaw in KiloEx’s price oracle access control — a feature responsible for feeding external price data into the DEX’s smart contracts.
Oracles are supposed to serve as trusted bridges between blockchains and real-world data. But when improperly secured, they become a gateway for manipulation. In this case, the attacker exploited that gateway, using temporary liquidity from flash loans to feed in false pricing data — the classic setup for a leveraged drain.
🛑 KiloEx Responds
KiloEx has officially:
- Suspended all operations
- Acknowledged the breach
- Collaborated with partners to trace stolen funds
- Blacklisted the attacker’s wallet address
A full forensic investigation is underway, and the team has promised to improve oracle security and implement tighter cross-chain access controls.
🧠 Context: Not the First, Not the Last
This isn’t the first time DeFi protocols have been hit by similar oracle manipulation tactics. Major exploits in the past include:
- Mango Markets ($100M) in 2022
- Cream Finance ($130M) in 2021
As long as price oracles remain the Achilles’ heel of DeFi, sophisticated attackers will continue to exploit them.
🔮 The Bigger Picture
KiloEx’s downfall serves as a stark reminder of the risks in decentralized finance — especially when integrating cross-chain functionality without robust security measures. It also raises serious questions about oracle standardization, flash loan protections, and the ongoing need for real-time exploit detection systems.
🧠 TL;DR
- $7M stolen from KiloEx through a multi-chain oracle exploit.
- Tornado Cash used to fund attacker’s wallet.
- Exploit took place on Base, BNB Chain, and Taiko.
- Price oracles manipulated to report false ETH values.
- KiloEx operations are suspended as investigations continue.
