Decentralized perpetual exchange KiloEx published a post-mortem on its $7 million exploit stemming from a critical smart contract vulnerability.
According to the report, the issue originated from the TrustedForwarder contract, which inherited from OpenZeppelin’s MinimalForwarderUpgradeable but failed to override the “execute” method, leaving it permissionless.
This oversight allowed the attacker to manipulate trading positions across several chains. On April 13, the attacker initiated the exploit by withdrawing 1 ETH (ETH) from Tornado Cash to fund wallets across chains.
The attacker executed the exploit in under an hour by abusing the open method to open and close positions at favorable prices.
The exploit was first detected by Cyvers Alerts, which flagged suspicious cross-chain activity across Base, Taiko, and BNB Chain. According to PeckShield, losses were spread across Base, opBNB, and BSC.
Hacker negotiations
According to the report, and after sustained negotiations, the hacker agreed to a 10% bounty retention and systematically returned all stolen assets to KiloEx’s designated Safe multi-signature wallets.
KiloEx said the vulnerability has been fixed and emphasized that no open positions will face liquidation. Instead, all positions will be closed based on price snapshots taken before the attack. Profits and losses from the exploit period will not count toward final user balances.
The platform also said it worked with police and SlowMist to investigate the hack.
