News
KiloEx recovers all stolen funds from April hack, confirms case closure
KiloEx has announced the full recovery of the $7.5 million that was stolen during a sophisticated price oracle exploit.
The perp protocol verified that the recovery did not result in any financial loss for the user and formally initiated the legal process to conclude the case.
Crediting the progress to the coordinated efforts of legal authorities, internal teams, and cybersecurity experts, including SlowMist Team and Blitezero, the KiloEx team stated that “With all affected funds fully restored (leaving no victims), we are fulfilling our pledge to resolve this matter fairly and transparently.”
The hack
On April 14, 2025, KiloEx suffered a $7.5 million hack after a vulnerability in its price oracle system allowed an attacker to manipulate prices. The hacker used a wallet funded through Tornado Cash to stay anonymous and exploited a flaw in KiloEx’s smart contracts.
By altering the ETH/USD price feed, they bought Ethereum at just $100 and sold it for $10,000 in the same transaction. They repeated this process across multiple blockchains, including BNB Smart Chain, Base, and opBNB.
The security issue originated from the MinimalForwarder.execute() function in KiloEx’s code, which failed to verify the source of the price data. This oversight allowed a hacker to inject fake prices. In response, KiloEx shut down its platform, released the attacker’s wallet address, and attempted to limit the damage.
As a result, the KILO token plummeted by more than 30%, wiping out nearly 78% of its market value just weeks after a significant token launch and a partnership announcement with DWF Labs.
KiloEx collaborated with blockchain networks and security firms such as BNB Chain, Manta Network, SlowMist, PeckShield, Seal-911, and others to investigate the attack. On April 15, the exchange offered the hacker a white hat bounty: if they returned 90% of the funds within 72 hours, they could keep 10% and avoid legal consequences.
Reward as bounty
With the return of funds, KiloEx is fulfilling its promise to handle the situation with fairness and transparency. As part of that commitment, they will pay a 10% bounty worth about $750,000 to the white hat who returned the funds. KiloEx described the gesture as a white hat reward and a step toward building long-term trust with the ethical hacking community.
“In adherence to our agreement, we will award 10% of the recovered amount as a bounty to the white hat involved, recognizing their contribution to improving our platform’s security,” the team stated, noting that updates on the final withdrawal and legal closure will be shared on their X account.
6 Comments