“Make a deal”: How the KiloEx exchange recovered $8,4 million in stolen assets

On April 14, decentralized crypto derivatives exchange KiloEx was hacked, with the help of which the hacker managed to withdraw $8,4 million in assets. A few days later, the trading platform was able to get the cryptocurrency back. GetBlock AML Research explains how this happened and what will happen to the exchange next.

The reason for the hack

After the attack, KiloEx discovered that the attacker had exploited an internal smart contract vulnerability that allowed them to bypass all checks and permissions to open positions and withdraw funds. The vulnerability was in the execute method of the TrustedForwarder contract, which inherited the MinimalForwarderUpgradeable contract without overriding the method.

execute method source code

Attack chronology

13.04.25 23:31:59 UTC. An address belonging to the hacker (0x00faC92881556A90FdB19eAe9F23640B95B4bcBd) received 1 ETH from Tornado Cash as primary funding;

14.04.25 01:21:36 UTC. The hacker distributed funds to different networks (opBNB, Base, BSC, Taiko, B2, and Manta) using cross-chain bridges;

14.04.25 19:36:49 UTC. Malicious smart contracts with exploits were deployed in the networks described above;

14.04.25 19:40:49 UTC. The hacker conducted a successful attack using the deployed contracts.

One of the malicious contracts on the opBNB network

KiloEx team response

The developers of the KiloEx exchange reacted to the attack lightning fast, analyzed and discovered the vulnerability used by the attacker. Having no alternatives, the KiloEx team quickly made the only correct decision — to contact the hacker and offer him to settle the situation by returning the funds. Under KiloEx’s terms, the hacker could keep 10% of the hack as a reward for finding the vulnerability.

Communication between the KiloEx team and the hacker on the Ethereum blockchain

The hacker agreed to the KiloEx developers’ terms and returned the stolen assets to the exchange’s new secure wallets, except for his reward.

The addresses used by KiloEx to store the assets are:

• 0xb1a95732ed3c75f7b1dc594a357f7a957e9baad2 (opBNB network)
• 0xd38a22f5330f45162f13086d6ccbde0335c1ae9e (Ethereum network)
• 0x0f9c71f888c1d263eab34d6d9360a3a45855365d (Manta network)

It was the KiloEx team’s reaction speed and quick contact with the hacker that was able to resolve the situation and save the project, as the exchange developers contacted the hacker before he had a chance to launder funds.

Future plans have not been determined

After successfully recovering the stolen funds, the KiloEx team did not rush to relaunch the exchange. They said on their X social media page that they will first conduct a comprehensive security check to find other vulnerabilities and rule out the possibility of another hack. After that, KiloEx will conduct a full audit of the exchange’s logic and economic model. The duration of the technical work is estimated by the developers at about 45 days. After that, the KiloEx team will inform about further actions.

KiloEx team’s appeal on X