Decentralized exchange KiloEx has been forced to suspend operations after suffering a $7 million exploit driven by a price oracle vulnerability—once again spotlighting the fragility of DeFi infrastructure.

The attack, confirmed by blockchain security firm Cyvers, unfolded across three networks—Base, BNB Chain, and Taiko—using a wallet funded through privacy protocol Tornado Cash. The attacker exploited a flaw in KiloEx’s oracle system to manipulate asset prices, enabling them to open highly profitable leveraged positions based on artificially deflated price data.

By using flash loans, the attacker temporarily distorted prices reported by the oracle—falsely valuing ETH at dramatically low levels. This allowed them to make it appear as though they had earned large profits, which were then withdrawn from KiloEx’s liquidity pools before the issue could be contained.

KiloEx immediately halted trading and is now working with partners to trace the attacker’s movements and freeze any associated wallets. The team has also issued a public appeal to the hacker, offering a 10% bounty if 90% of the funds are returned.

One transaction alone netted over $3.1 million, and the attacker leveraged the DEX’s cross-chain design to maximize the impact before detection.

Oracle manipulation has been a recurring attack vector in decentralized finance. Similar incidents have previously led to hundreds of millions in losses at other platforms like Mango Markets and Cream Finance.

As KiloEx investigates and attempts to recover the stolen funds, the incident serves as another stark reminder of the challenges DeFi platforms face in securing complex, multi-chain ecosystems.