KiloEx Security Incident: Root Cause Analysis & Post-Mortem
2 min readApr 21, 2025
Vulnerability Root Cause Analysis
The TrustedForwarder contract inherited OpenZeppelin’s MinimalForwarderUpgradeable but failed to override the execute method, leaving it as a permissionless function.
The attacker exploited this by:
- Directly calling the original execute method in MinimalForwarderUpgradeable.
- Crafting a request to invoke delegateExecutePositions, which only verified msg.sender == trustedForwarder without checking if the caller was an authorized keeper.
Attack Method:
In a single transaction, the attacker:
- Opened a position at an artificially low price.
- Closed it at a higher price. This exploit enabled the attacker to profit illegitimately.
Attack Timeline
Preparation Phase
- Apr-13–2025 23:31:59 UTC: Hacker address 0x00faC92881556A90FdB19eAe9F23640B95B4bcBd withdrew 1 ETH from Tornado Cash.
- Apr-13–2025 23:39:11 — Apr-14–2025 01:21:36 UTC: The hacker split and transferred the ETH via multiple DeFi protocols and bridges to opBNB, Base, BSC, Taiko, B2, and Manta chains to fund gas fees for subsequent attacks.
Attack Deployment
- Apr-14–2025 18:27:43–19:36:49 UTC: The hacker deployed attack contracts across the aforementioned chains. Details:
Execution Phase
- Apr-14–2025 18:52:27–19:40:49 UTC: The hacker executed attacks across all chains. Full details:
Funds Recovery
After sustained negotiations, the hacker agreed to a 10% bounty retention and systematically returned all stolen assets to KiloEx’s designated Safe multi-signature wallets at the following addresses:
- opBNB: 0xb1a95732ed3c75f7b1dc594a357f7a957e9baad2
- BNB/Base/ETH/Arbitrum: 0xD38A22f5330f45162F13086d6CcbDE0335C1ae9e
- Manta: 0x0f9c71f888c1d263eab34d6d9360a3a45855365d
Refunded Assets: In addition to the original USDT and USDC, the refund included converted assets: ETH, BNB, WBTC and DAI.
