KiloEx's $7M Heist: A Deep Dive into the Exploit That Shook the Crypto World

Holy smokes, folks! KiloEx, the hotshot decentralized perpetual exchange, just dropped a bombshell post-mortem on their jaw-dropping $7 million exploit. Brace yourselves, because this is a wild ride!

Get this: the whole mess kicked off with a critical smart contract vulnerability in the TrustedForwarder contract. These guys inherited from OpenZeppelin’s MinimalForwarderUpgradeable but totally dropped the ball by not overriding the "execute" method. Yikes! That left it wide open, like a permissionless playground for hackers.

So, what did the attacker do? They exploited this oversight to mess with trading positions across multiple chains. On April 13, they kicked things off by pulling 1 ETH from Tornado Cash to fuel their wallet-hopping spree across chains. Talk about a crypto crime spree!

Hold onto your hats, because the attacker pulled off this exploit in less than an hour. They totally abused that open method to open and close positions at sweet, sweet prices. It was like watching a high-stakes poker game, except with millions on the line!

The exploit was first sniffed out by the eagle-eyed folks at Cyvers Alerts, who spotted some seriously shady cross-chain action across Base, Taiko, and BNB Chain. PeckShield chimed in, revealing that the losses were spread across Base, opBNB, and BSC. This was no small-time heist, my friends!

Hacker Negotiations

Now, here's where things get really interesting. After some intense back-and-forth, the hacker agreed to a 10% bounty and started returning all the stolen assets to KiloEx’s designated Safe multi-signature wallets. It was like watching a high-stakes negotiation unfold in real-time!

KiloEx was quick to patch up the vulnerability and made it crystal clear: no open positions will face liquidation. Instead, they'll close all positions based on price snapshots taken before the attack. And get this—any profits or losses from the exploit period? They won't count toward final user balances. Talk about a silver lining!

But that's not all. KiloEx didn't just sit back and take it. They teamed up with the police and SlowMist to dig into the hack and figure out who was behind this crazy exploit. It's like a real-life crypto whodunit!