Binance-Backed DEX Offers Hacker 10% Bounty to Return Funds

Decentralized exchange KiloEx suspended trading after suffering a $7 million exploit carried out across Base, BNB Chain and Taiko, the latest in a string of oracle-based attacks targeting DeFi protocols.

Built on BNB Chain, KiloEX received seed funding from Binance Labs, which invests in the Binance Coin (BNB) ecosystem.

The incident was first flagged by blockchain security firm Cyvers and involved an attacker manipulating KiloEx’s price oracle function to feed the platform false market data. By exploiting a flaw in oracle access controls, the attacker was able to execute leveraged trades at artificially skewed prices — generating outsized profits that allowed them to drain millions from the protocol.

One transaction alone netted over $3 million, data shows.

According to KiloEx, the attacker funded their wallet using Tornado Cash, a privacy-focused Ethereum mixer, making it harder to trace the source of funds. The team confirmed the vulnerability had been “contained” and that all platform operations were frozen to prevent further losses.

“The team immediately suspended platform usage and is working with security partners to trace the flow of funds,” KiloEx said in an April 14 update.

Whitehat Deal or Manhunt

In a follow-up post on Tuesday, KiloEx extended a peace offering to the attacker: return 90% of the stolen funds and keep 10% as a whitehat bounty. The team said it would publicly acknowledge the return and drop the case if the funds were returned.

“If you agree, please contact us at [email protected] or send an on-chain message to confirm,” the team wrote on X.

But the decentralized exchange also warned that ignoring the offer would result in a full-scale investigation. The platform pledged to collaborate with law enforcement and cybersecurity partners to uncover the attacker’s identity and pursue legal consequences.

“We will pursue legal action relentlessly. The choice is yours. Act now to avoid irreversible consequences,” KiloEx added.

Oracle manipulation attacks have plagued DeFi for years. One of the most infamous cases occurred in 2022 when Avraham Eisenberg drained $110 million from Mango Markets by inflating collateral values. Though he described the act as a “highly profitable trading strategy,” Eisenberg was convicted of fraud in 2024.

KiloEx joins a growing list of platforms rethinking oracle design and access controls as DeFi continues to grapple with the security risks of onchain pricing.