Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 229Oracle Manipulation

KiloEX Oracle Forwarder Bypass

$7.5M extracted from KiloEX perps on Base, opBNB and BSC after the MinimalForwarder skipped signature checks; positions opened at $100, closed at $10,000.

Date
Victim
KiloEX
Chain(s)
BaseBNB Chain
Status
Funds Stolen

On April 15, 2025, the Binance-backed perpetuals DEX KiloEX was exploited for approximately $7.5 million across three chains. The exploit unfolded as a textbook oracle-manipulation attack — open a position at one price, close it at a wildly different price — made possible by an access-control bug in the protocol's MinimalForwarder contract that let any caller submit arbitrary signed price updates.

What happened

KiloEX used a custom price-update flow inherited from OpenZeppelin's MinimalForwarderUpgradeable — a contract designed to let users execute meta-transactions on behalf of a signer who has authorised the call cryptographically. The execute() function should:

  1. Verify the signature of the meta-transaction request against the provided data.
  2. Forward the call only if the signature corresponds to an authorised signer.

KiloEX's customised MinimalForwarder failed to properly verify signatures against the provided data — the validation logic was structurally present but did not bind the signature to the call's actual payload. Any caller could submit a price-update request claiming to be signed by an authorised oracle and have the contract accept it.

Once the attacker could push arbitrary prices to KiloEX's oracle:

  1. Opened a perpetuals long on ETHUSD with an oracle-reported price of $100.
  2. Immediately closed the same position with an oracle-reported price of $10,000 — a 100× swing in a single transaction.
  3. Walked with the difference, netting $3.12 million in a single Base transaction.

Repeated across chains: ~$3.3M on Base, ~$3.1M on opBNB, ~$1M on BSC.

Aftermath

  • KiloEX suspended operations and offered the attacker a $750K bounty (10% of the take) plus release from legal liability for return of the remaining 90%.
  • The team blacklisted the attacker's addresses and worked with Binance-affiliated forensic firms to trace the funds.
  • Operations remained suspended for an extended period as the team re-audited the meta-transaction flow.

Why it matters

KiloEX is an unusually pure case study for why upgrading or customising battle-tested OpenZeppelin contracts is high-risk territory. The original MinimalForwarder is a well-reviewed primitive with extensive test coverage; the customisation introduced by KiloEX — to fit their oracle-update flow — broke the security guarantee in a way that was not visible to standard audit checklists.

The structural lesson: inheriting from a trusted base contract is not the same as inheriting its security. Any override of a security-critical function (signature verification, access control, replay protection) needs to be re-audited as if it were a fresh implementation — because functionally it is one.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-kiloex-hack-april-2025
  2. [02]coindesk.comhttps://www.coindesk.com/markets/2025/04/15/dex-kiloex-loses-usd7m-in-apparent-oracle-manipulation-attack
  3. [03]decrypt.cohttps://decrypt.co/314827/binance-backed-dex-kiloex-suspends-operations-following-7-5-million-exploit

Related filings