{"id":1058,"date":"2025-06-12T12:50:44","date_gmt":"2025-06-12T10:50:44","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=1058"},"modified":"2025-06-12T12:50:44","modified_gmt":"2025-06-12T10:50:44","slug":"inside-the-7-5m-kiloex-hack","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/inside-the-7-5m-kiloex-hack\/","title":{"rendered":"Inside the $7.5M KiloEx Hack"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">On April 14, 2025, the KiloEx protocol suffered a significant security breach resulting in approximately $7.5 million in losses. The incident stemmed from an oracle manipulation attack, highlighting critical vulnerabilities in the protocol&#8217;s access control mechanisms. Let&#8217;s dive into what happened and what we can learn from it.<\/span><\/p>\n<h2><b>Root cause<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The root of the exploit was an access control issue in the protocol&#8217;s <code class=\"codehl\">MinimalForwarder<\/code>contract<\/span><span style=\"font-weight: 400;\">. The contract, which was inherited from OpenZeppelin&#8217;s <code class=\"codehl\">MinimalForwarderUpgradeable<\/code> <\/span><span style=\"font-weight: 400;\">contained a vulnerability in its <code class=\"codehl\">execute<\/code><\/span><span style=\"font-weight: 400;\">function that failed to properly verify signatures against provided data.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1059 size-large\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2025\/06\/kiloex-1-1024x138.png\" alt=\"\" width=\"1024\" height=\"138\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-1-1024x138.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-1-300x41.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-1-768x104.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-1-1536x208.png 1536w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-1-370x50.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-1-760x103.png 760w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-1.png 1753w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h3><b>Trust model<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The KiloEx protocol operated with a complex trust model involving multiple contracts:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">KiloPriceFeed \u2192 Keeper<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Keeper \u2192 PositionKeeper<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">PositionKeeper \u2192 MinimalForwarder<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">MinimalForwarder \u2192 Unrestricted Access<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The critical flaw resided in the final link of this chain, where the <code class=\"codehl\">MinimalForwarder<\/code> contract <\/span><span style=\"font-weight: 400;\">essentially trusted any incoming request.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-1060\" src=\"https:\/\/abchprod.wpengine.com\/wp-content\/uploads\/2025\/06\/kiloex-2-1024x246.png\" alt=\"\" width=\"1024\" height=\"246\" srcset=\"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-2-1024x246.png 1024w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-2-300x72.png 300w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-2-768x185.png 768w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-2-1536x369.png 1536w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-2-370x89.png 370w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-2-760x183.png 760w, https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/kiloex-2.png 2037w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h2><b>The attack vector<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The attacker exploited the vulnerability by crafting malicious transactions that bypassed the intended access controls. To successfully execute the attack, they needed only to provide:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A valid <code class=\"codehl\">from<\/code><\/span><span style=\"font-weight: 400;\">\u00a0address (obtainable from previous transactions)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A valid <code class=\"codehl\">signature<\/code><\/span><span style=\"font-weight: 400;\">\u00a0(also observable from on-chain data)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Any arbitrary <code class=\"codehl\">to<\/code><\/span><span style=\"font-weight: 400;\">\u00a0address (in this case, the <\/span><span style=\"font-weight: 400;\">PositionKeeper<\/span><span style=\"font-weight: 400;\">)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Custom <code class=\"codehl\">data<\/code><\/span><span style=\"font-weight: 400;\">\u00a0for function execution<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">What made this attack particularly concerning was that the implementation of the <code class=\"codehl\">MinimalForwarder<\/code> <\/span><span style=\"font-weight: 400;\">contract was not transparent and couldn&#8217;t be found on either BSC or Base.<\/span><\/p>\n<h2><b>Attack execution<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The attacker executed their exploit through a series of calculated steps:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Manipulated the oracle to decrease the asset price<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Opened long positions at the artificially lowered price<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Manipulated the oracle again to increase the price<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Closed positions for significant profit<\/span><\/li>\n<\/ol>\n<h2><b>Impact and implications<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">This incident is a reminder of several critical security principles:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Access control is critical<\/b><span style=\"font-weight: 400;\"> \u2013 Even inherited contracts need careful review and potential modification to ensure they meet specific security requirements.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Trust model verification<\/b><span style=\"font-weight: 400;\"> \u2013 Complex trust relationships between contracts require thorough validation at each step.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Oracle security<\/b><span style=\"font-weight: 400;\"> \u2013 Price feed mechanisms remain a critical attack vector in DeFi protocols.<\/span><\/li>\n<\/ol>\n<h2><b>Transaction evidence<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The attack was executed across multiple chains:<\/span><\/p>\n<p><b>Binance Smart Chain<\/b><span style=\"font-weight: 400;\">:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/bscscan.com\/tx\/0x38b25be14b83fd549d5e0b29ba962db83d41f5f9072d0eac4f692fa8e7110bc0\"><span style=\"font-weight: 400;\">0x38b25be14b83fd549d5e0b29ba962db83d41f5f9072d0eac4f692fa8e7110bc0<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/bscscan.com\/tx\/0x1aaf5d1dc3cd07feb5530fbd6aa09d48b02cbd232f78a40c6ce8e12c55927d03\"><span style=\"font-weight: 400;\">0x1aaf5d1dc3cd07feb5530fbd6aa09d48b02cbd232f78a40c6ce8e12c55927d03<\/span><\/a><\/li>\n<\/ul>\n<p><b>Base<\/b><span style=\"font-weight: 400;\">:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/basescan.org\/tx\/0x6b378c84aa57097fb5845f285476e33d6832b8090d36d02fe0e1aed909228edd\"><span style=\"font-weight: 400;\">0x6b378c84aa57097fb5845f285476e33d6832b8090d36d02fe0e1aed909228edd<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/basescan.org\/tx\/0xde7f5e78ea63cbdcd199f4b109db2a551b4462dec79e4dba37711f6c814b26e6\"><span style=\"font-weight: 400;\">0xde7f5e78ea63cbdcd199f4b109db2a551b4462dec79e4dba37711f6c814b26e6<\/span><\/a><\/li>\n<\/ul>\n<h2><b>Key takeaways<\/b><\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Always thoroughly review and test inherited contracts, especially their access control mechanisms.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Contract implementations should be verified and accessible for security analysis.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Relying on a single point of access control is risky; implement defense in depth.<\/span><\/li>\n<\/ul>\n<h2><b>Conclusion<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">For protocols looking to prevent similar incidents:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Implement robust signature verification in forwarding contracts<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Maintain clear documentation of trust relationships between contracts<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Regular security audits with focus on access control mechanisms<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Consider implementing circuit breakers for significant price movements<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">This incident shows the importance of thorough security reviews and the potential consequences of overlooking access control mechanisms in smart contract development.<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On April 14, 2025, the KiloEx protocol suffered a significant security breach resulting in approximately $7.5 million in losses. The incident stemmed from an oracle manipulation attack, highlighting critical vulnerabilities in the protocol&#8217;s access control mechanisms. Let&#8217;s dive into what happened and what we can learn from it. Root cause The root of the exploit was an access control issue in the&hellip;<\/p>\n","protected":false},"author":30,"featured_media":1016,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,84,80],"tags":[24,86,152,64],"class_list":["post-1058","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethereum","category-hacks","category-solidity","tag-ethereum","tag-hack","tag-kiloex","tag-security"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/03\/Cross-Function-Reentrancy-Attack-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/03\/Cross-Function-Reentrancy-Attack-600x600.png","author_info":{"display_name":"Tom\u00e1\u0161 Kova\u0159\u00edk","author_link":"https:\/\/ackee.xyz\/blog\/author\/tomas-kovarik\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=1058"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1058\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1016"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=1058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=1058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=1058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}