KiloEx, a decentralized perpetual exchange, recently discovered a $7 million exploit that originated from a critical smart contract vulnerability. The company swiftly published a post-mortem analysis to shed light on the unfortunate event and outline its immediate response to mitigate the impact.
Understanding the Vulnerability
The flaw can be traced back to the TrustedForwarder contract. It was essentially an inherited contract from OpenZeppelin’s MinimalForwarderUpgradeable. However, the KiloEx team failed to override the execute method, which inadvertently left the function permissionless. Therefore, there weren’t any restrictions in place to prevent unauthorized transactions.
This allowed an attacker to exploit this loophole and manipulate trading positions across multiple chains. In one instance, the attacker withdrew 1 ETH from Tornado Cash to fund numerous wallets spread across various chains. This incident took place on April 13.
Despite the complexity of the exploit, the attacker managed to execute it in under an hour by utilizing the open method strategically. The attacker was able to open and close positions to benefit from favorable prices.
Detecting the Exploit
The exploit was first flagged by Cyvers Alerts, a cybersecurity platform that detected suspicious cross-chain activity across several networks, including Base, Taiko, and BNB Chain. The cybersecurity firm PeckShield confirmed that the losses were spread across Base, opBNB, and BSC.
Negotiating with the Hacker
Following a series of negotiations, the hacker agreed to retain a 10% bounty and returned all the stolen assets to KiloEx’s designated Safe multi-signature wallets. The hacker’s compliance was an unexpected twist, but it allowed the company to retrieve the stolen funds with relative ease.
KiloEx was praiseworthy in its immediate response to avert greater damage. They assured users that measures had been taken to rectify the vulnerability. These measures included liquidating open positions on the basis of price snapshots taken before the attack occurred. The company emphasized that no open positions would face liquidation.
The platform also decided to negate the profit and loss from the exploit period to maintain transparency and trust among its users. This means the final user balances wouldn’t include any transactions completed during the exploit period.
Investigation and Future Measures
KiloEx reported the incident to the authorities and partnered with cybersecurity platform, SlowMist, to thoroughly investigate the hack. They hope to understand every detail of the exploit to prevent similar incidents in the future.
This serious event is a reminder for other platforms as well. It underscores the importance of rigorous and regular security assessments to uncover and rectify potential vulnerabilities. This will ensure the protection of users’ assets.
