Kiloex, a decentralized exchange (DEX) for the trade of perpetual futures, was beaten by a sophisticated attack on Tuesday that left users staggering with losses of around $ 7 million.
The exploit was developed in multiple Blockchain networks and seemed derived from vulnerability in the Platform Practice Oracle system, according to Blockchain’s analysis firm.
An attacker, who uses a wallet financed through Tornado’s cash, a tool that darkens the transaction paths, executed a series of transactions in the base networks, the BNB and TAIKO chain to take advantage of a defect in the Platform Price Play System, which allowed the attacker to manipulate the prices of the assets.
Since then, Kiloex has confirmed the breach, the operations of the suspended platform and is now working with partners to track the stolen funds and the black list of the attacker’s wallet.
Oracles are blockchain -based tools that transmit any type of external data to a block chain, where smart contracts use that data to make decisions for a financial application. That is, the Oracle tells the Platform if Ether (ETH) has a value of $ 2,000 or $ 3,000, which guarantees that the operations occur at fair prices on the market.
But oracles can be a weak link. In the case of kiloex, the attacker exploded a vulnerability of access control to Price Oracle, essentially, a defect that allowed them to manipulate the data through the use of flash loans (or temporary liquidity) that cheated the system in false believers.
The attacker manipulated the oracle to inform an absurdly low price for ETH (say, $ 100) when opening an leverage negotiation position. The leverage allows operators to borrow funds to amplify their bets, so a false price can create massive distortions.
This made it seem that they had obtained a great gain, which then retired from the kiloex vault. The attacker repeated this through the base, the BNB and Taiko chain, exploiting the Kiloex cross chain configuration to maximize the profits before the platform could react.
In a reported transaction, the attacker obtained $ 3.12 million in a single movement.
This is not the first time that a defi platform has been beaten by Oracle Manipulation. Similar attacks have directed platforms such as mango markets in 2022, where $ 100 million and cream finances were stolen in 2021, with losses of $ 130 million.
