QUICK TAKE
KiloEx lost $7 million after an unknown attacker tricked the protocol’s oracle function with a wallet funded using Tornado Cash.
The team halted trading following the multi-chain theft across Base, BNB Chain and Taiko.
An update from the decentralized exchange asked the hacker to return most of the funds and keep 10% as a whitehat bounty — or brave a manhunt.

KiloEx, a decentralized perpetual futures exchange, suffered $7 million in losses across three blockchains due to a price oracle manipulation attack executed by an address funded via Tornado Cash, web3 security shop Cyvers alerted late on Monday. Per the report, an exploiter used an oracle-access control vulnerability to feed KiloEx incorrect prices, allowing the culprit to siphon funds on Base, BNB Chain and Taiko.

Oracles collect onchain data from several networks and transmit it to decentralized applications for their operations. In this case, the assailant tapped a loophole in KiloEx’s price system and made the DEX believe false market rates. They then opened leveraged positions, which can increase gains in a successful trade and vice versa, and made outsized returns because of the altered market prices. Data showed profits of over $3 million in a single transaction on KiloEx during the incident.

Also, the bad actor funded the attack wallet using Tornado Cash, an Ethereum-based privacy tool that shrouds where funds came from. KiloEx confirmed the sophisticated assault and halted the trading platform to mitigate further outflows. “The exploit has been contained,” an April 14 update from the protocol said. “The team immediately suspended platform usage and is working with security partners to trace the flow of funds. The team will release a bounty program.”

Note to hacker
The latest update from KiloEx sought to establish communication with the hacker. According to a Tuesday post on X, the scammer may keep 10% of the stolen funds as a reward if they return 90% of the loot. “We will tweet about this resolution, acknowledging your cooperation and closing the case without further action,” the team wrote. “If you agree, please contact us at operation@kiloex.io or send an on-chain message to confirm.”

Start your day with the most influential events and analysis happening across the digital asset ecosystem.
Enter Email
Also receive The Scoop, The Funding, and our weekly Data & Insights newsletters
By signing-up you agree to our Terms of Service and Privacy Policy

Should the exploiter snub KiloEx’s olive branch, the DEX promised to expose their identity and seek legal remedies. "If you fail to comply. We will escalate the investigation with law enforcement and cybersecurity partners. Your identity and activities will be exposed to relevant authorities. We will pursue legal action relentlessly. The choice is yours. Act now to avoid irreversible consequences,” KiloEx threatened.

Oracle flaws aren’t new to dapps. Avraham Eisenberg extracted $110 million from Mango Markets in 2022 in what he described as a “highly profitable trading strategy” by tweaking market prices on the Solana-based options trading provider. Eisenberg was convicted on fraud charges in 2024 by a federal court in Manhattan and has requested a new trial.