KiloEx and other DEXs need access to token price data to determine exchange rates for various trading pairs. If the pricing oracles that provide this data are vulnerable to manipulation, an attacker may be able to purchase a token at a fraction of its true price, draining value from the exchange.

In the case of KiloEx, the root cause of the incident was an access control vulnerability. The project’s KiloPriceFeed contract includes a setPrices function that can only be accessed via a particular chain of function calls:

• The setPrices function is only callable from a specific function within the Keeper contract

• This function can only be called by a function in the PositionKeeper contract

• This function is callable only by the Minimal Forwarder contract.

While the access controls up to this point are strong, this is where the protocol breaks down. The MinimalForwarder’s execute contract is publicly accessible and allows the user to define the source address and a signature that passes signature validation.

Additionally, the user can pass any data that they want to the function, enabling them to construct a chain of calls that executes the setPrices function. The attacker exploited this fact by artificially defining the price of various tokens at a low point. Next, they created a long position and increased the perceived value of the token. Finally, they closed their position immediately and cashed out.

KiloEx is a multi-chain protocol, and the attacker exploited it on both Base and BSC. In total, they stole a total of about $7.5 million, including Base, opBNB, and BSC tokens. After the hack was discovered, KiloEx offered a $750k bounty and promised not to pursue legal action if the remaining 90% of the stolen funds were returned.

The KiloEx hack demonstrates the importance of securing access to price oracles. In this case, inadequate access controls and input validation enabled an attacker to submit a transaction that executed a chain of function calls that artificially lowered and raised the perceived value of various tokens.

Protecting against these types of attacks requires smart contract audits that both validate business logic and identify implementation errors. To enhance your security against price oracle manipulation and similar threats, reach out to Halborn.