KiloEx, a decentralized perpetuals trading platform backed by YZi Labs, was exploited for approximately $7.4 million in a cross-chain attack.
The attack was first flagged by blockchain security platform Cyvers Alerts on Apr. 14 at 7:30 PM UTC. The company reported that a wallet funded via Tornado Cash carried out a number of dubious transactions on Base, Taiko, and BNB Chain (BNB). A price oracle access control vulnerability was reported to be the root cause. The stolen funds include USD Coin (USDC), which may be blacklisted by issuers.
KiloEx later confirmed the exploit, urging protocols and platforms to blacklist the attacker’s wallet and announcing an immediate suspension of platform activity. The platform stated that actions were being taken to engage bridge protocols and prevent additional losses. KiloEx also announced that it would start a bounty program and release a comprehensive postmortem report.
In a later update, the team stated it was working with blockchain security firms Seal-911, SlowMist, and Sherlock, alongside networks like BNB Chain and Manta Network, to investigate and recover the stolen funds. The assets were reportedly being bridged via zkBridge and Meson.
Further analysis from blockchain security firm PeckShield estimated losses at approximately $7.5 million, with $3.3 million lost on Base, $3.1 million on opBNB, and $1 million on BSC.
The firm confirmed that a manipulated price oracle allowed the attacker to open a position using an ETH/USD price of 100, then immediately close it using an inflated value of 10,000, netting millions in a single transaction.
The KiloEx exploit adds to a growing trend of DeFi hacks. In Q1 2025, $1.64 billion was stolen, making it the worst quarter ever for cryptocurrency exploits, according to Immunefi’s Q1 2025 report. While centralized finance platforms lost $1.5 billion in two attacks, DeFi protocols lost $106.8 million in 38 incidents.
