One Missing Check: How KiloEx Lost $7.5M to a Forged Call Chain

The Oracle Was Hijacked,
Token Prices Manipulated,
and $7.5 Million Drained.
All Because of One Missing Access Check.

KiloEx was hacked. Not with a zero-day, not with a novel exploit, but with something far simpler: a missing permission check.
One unchecked gate — and the attacker walked in, took over the price oracle, and drained the protocol dry.

Let’s walk through what happened.

The Setup

KiloEx’s perpetual trading architecture relies on an internal oracle contract called KiloPriceFeed.
In theory, only the platform’s Keeper module is allowed to call setPrices() to update prices.

But on-chain, that permission path isn’t direct — it’s a chained series of contracts:

MinimalForwarder → PositionKeeper → Keeper → KiloPriceFeed

And the attacker found their way right at the top.

Put simply: the attacker “put on an employee badge” and walked through the front door into the price control room — and no one stopped to check who they really were.

The Vulnerability

The MinimalForwarder contract allowed arbitrary addresses to execute calls by submitting forged signatures.
Crucially, the contract never verified whether the call path was legitimate.

The exploit flow:

• Craft a fake signature
• Impersonate any address
• Traverse the contract chain down to KiloPriceFeed
• Call setPrices() directly and manipulate oracle data

The Exploit

Once the attacker gained price control, the actual exploit was trivial:

1. Push asset prices extremely low
2. Open long positions
3. Instantly drive prices back up
4. Close positions for risk-free profit

This cycle was repeated across:

• Base
• opBNB
• BNB Chain

Result: KiloEx’s liquidity pools were drained.

What Went Wrong?

According to analysis from @SlowMist_Team, the core issue was a lack of access control — particularly in the MinimalForwarder contract.

Key Failures:

• No authentication at the entry point: execute() allowed anyone
• No access control on setPrices() (oracle logic)
• No call depth or path limits (multi-hop privilege escalation was possible)
• Weak signature verification (forged, contextless signatures were accepted)
• No enforcement of trusted boundaries between internal contracts

This wasn’t a narrow vulnerability — it was a design-level trust assumption failure.

Lessons in Access Control

The more composable and modular your contracts are,
the more aggressively you need to validate:

• Who is calling?
• From where?
• With what intent?

KiloEx didn’t validate those questions — and handed over its most sensitive function to an attacker.

Aftermath

KiloEx has:

• Acknowledged the issue
• Identified the root cause
• Disabled the front end
• Partnered with security firms to trace stolen funds

But for users, the important takeaway isn’t “the fix” —
It’s the failure mode.

In smart contract security, you don’t hope no one attacks you.
You design systems so that even if someone tries, they can’t.

Final Takeaways

Access control is foundational, but often overlooked in DeFi.

In any modular, multi-contract system:

• Every unchecked edge
• Every default trust

…is a doorway to takeover.

The KiloEx exploit wasn’t just a test for its developers.
It’s a public exam for every smart contract engineer in the space:

• Will you skip “unnecessary” checks for the sake of dev speed?
• Do you truly know who’s calling your contract, from where, and through what path?

Every line of code you leave unchecked is a line someone else will study carefully.
The less you know, the more others can exploit.

This time, the tuition was $7.5 million.