KiloEx reveals $7m smart contract exploit in post-mortem report

Decentralized Perpetual Exchange Kiloex published a post-mortem on his feat of $ 7 million from a vulnerability of a critical intelligent contract.

According to the reportThe question comes from the TrustedForWardener contract, which inherited the minimum remuneration of OpenZeppelin but did not replace the “execute” method, which leaves it without authorization.

This supervision As much the attacker To manipulate commercial positions on several channels. On April 13, the attacker launched the feat by removing 1 ETH (Ethn) of Tornado Cash to finance portfolios through the chains.

The attacker performed the feat in less than an hour by abusing the open method to open and close positions at favorable prices.

The feat was first detected By alert cyres, which reported an inter-chain activity suspected through the base of the base, the Taiko and the BNB chain. According to Peckshieldthe losses were distributed over BaseOPBNB and BSC.

Pirate negotiations

According to the report, and after sustained negotiations, the pirate agreed with a profit retention of 10% and systematically returned all the active stolen to the multi-signature portfolios of kiloex.

Kiloex said that the vulnerability had been set and stressed that no open position would be faced with the liquidation. Instead, all positions will be closed according to the instant prices taken before the attack. The benefits and losses of the feat period will not count for the user end sales.

The platform also said that she was working with the police and slowmist to investigate hacking.