KiloEx

On April 14, 2025, KiloEx, a multi-chain decentralized exchange (DEX) operating on Base and BNB Smart Chain (BSC), was exploited in a $7.5 million hack due to an access control vulnerability in its MinimalForwarder contract, inherited from OpenZeppelin’s MinimalForwarderUpgradeable. The flaw in the contract’s execute function allowed attackers to bypass signature verification, enabling unauthorized access to the setPrices function in the KiloPriceFeed contract through a chain of calls (MinimalForwarder → PositionKeeper → Keeper → KiloPriceFeed). The attacker crafted malicious transactions with a valid from address, a signature from prior transactions, and arbitrary data to manipulate token prices. They executed the attack by artificially lowering token prices via the oracle, opening long positions at the reduced prices, increasing the prices, and closing the positions for profit. The exploit affected Base and BSC, with stolen assets including Base, opBNB, and BSC tokens. Transaction evidence includes specific hashes on BSC (e.g., 0x38b25be14b83fd549d5e0b29ba962db83d41f5f9072d0eac4f692fa8e7110bc0) and Base (e.g., 0x6b378c84aa57097fb5845f285476e33d6832b8090d36d02fe0e1aed909228edd). KiloEx offered a $750,000 bounty (10% of the stolen funds) and immunity from prosecution if the remaining 90% was returned, but no confirmation of acceptance was reported. The incident underscores the critical need for robust access control validation, thorough review of inherited contracts, and secure oracle mechanisms, as the lack of transparency in the MinimalForwarder implementation exacerbated the vulnerability.