Kiloex, a decentralized scholarship (DEX) for the trade in perpetual term contracts, was struck by a sophisticated attack on Tuesday which left the users in shock of about 7 million dollars.
The feat took place on several blockchain networks and seemed to come from a vulnerability in the Oracle Price Oracle system of the platform, by Blockchain Cyvers analysis company.
An attacker, using a portfolio financed by Tornado Cash – a tool that obscures transaction trails – has executed a series of transactions on basic networks, the BNB and Taiko chain to take advantage of a defect in the Oracle Price system of the platform, which allowed the attacker to handle the prices of assets.
Kiloex has since confirmed the violation, the suspended platform operations and is now working with partners to trace the stolen funds and the black list of the attacker’s portfolio.
Oracles are blockchain -based tools that relay any type of data outside a blockchain, where smart contracts use this data to make decisions for financial application. In other words, the Oracle indicates to the platform Si Ether (ETH) is worth $ 2,000 or $ 3,000, ensuring that transactions occur at fair market prices.
But oracles can be a weak link. In the case of kiloex, the attacker has exploited an Oracle Price access control vulnerability – essentially, a defect which allowed them to falsify data using flash loans (or temporary liquidity) which prompted the system to believe in false prices.
The attacker handled the Oracle to report an absurdly low price for ETH (let’s say, $ 100) when opening a lever -effect negotiation position. The lever allows merchants to borrow funds to amplify their bets, so a false price can create massive distortions.
This gave the impression that they had made a huge profit, that they then removed from the Kiloex safe. The attacker repeated it through the base, the BNB and Taiko chain, exploiting the cross configuration of kiloex to maximize the gains before the platform could react.
In a reported transaction, the attacker reported $ 3.12 million in a single decision.
This is not the first time that a DEFI platform has been struck by the manipulation of Oracle. Similar attacks targeted platforms such as mango markets in 2022, where $ 100 million was stolen and the financing of the cream in 2021, with losses of $ 130 million.
