Decentralized perpetual exchange Kiloex published a post-mortem on its $ 7 million exploit resulting from a critical vulnerability of smart contract.
According to the reportThe issue comes from the Trustedforwarder contract, which inherited from Openzeppelin’s minimalforwarderupgradable but does not overwrites the “execution” method, so that it has permission.
This supervision enabled the attacker to manipulate trading positions on different chains. On April 13, the attacker initiated the exploit by withdrawing 1 ETH (ETH) from Tornado in the event of money to finance portfolios about chains.
The attacker carried out the exploit in less than an hour by abusing the open method to open and close positions at favorable prices.
The exploit was first detected by cycle warnings, which marked the suspect cross-chain activity about the basic, taiko and bnb chain. According to PikshieldLosses were spread throughout the base, OPBNB and BSC.
Hacker -Negotiations
According to the report, and after continuing negotiations, the hacker agreed with a premier retention of 10% and systematically sent all stolen assets back to Kiloex’s designated safe multi-signature portfolios.
Kiloex said that the vulnerability has been established and emphasized that no open positions will be confronted with liquidation. Instead, all positions are closed based on the snapshots made before the attack. Profit and losses from the exploit period do not count for the final balances of the users.
The platform also said that it collaborated with the police and slow mist to investigate the hack.
