What Happened

KiloEx — 2025 Backtest

$7M|Smart Contract Exploit|April 14, 2025

Attacker exploited the MinimalForwarder's permissionless execute() function to inject arbitrary oracle price updates through the keeper trust chain. The MinimalForwarder trusted PositionKeeper which trusted Keeper which could call KiloPriceFeed.setPrices() — with no access control validation at the forwarder layer. Attacker manipulated prices across BSC, opBNB, Base, and Taiko simultaneously, profiting from artificially favorable trade settlements.

What Hindenrank Would Have Said

As of March 1, 2025

D+

Risk Score

60/100

“KiloEx rates D+ as of March 2025. The ERC-2771 MinimalForwarder in the oracle trust chain represents a genuinely critical architectural risk that none of the published audits addressed. Combined with closed-source contracts and 6-chain deployment, a single vulnerability in the forwarder-oracle interaction could drain all LP funds. Binance Labs backing provides some credibility, but the structural oracle risk warrants a D+ grade.”

Mechanism Novelty10/15

Interaction Severity17/20

Oracle Surface10/10

Documentation Quality7/10

Track Record2/15

Scale Exposure3/10

Regulatory Risk5/10

Protocol Vitality6/10

Grade Predicted This Failure

Flagged by dimensions: Mechanism Novelty, Interaction Severity, Oracle Surface, Documentation Quality

One or more collapse scenarios directly matched the actual failure mode.

Top Risks Identified

1.MinimalForwarder (ERC-2771 trusted forwarder) used in oracle price submission chain has no access control override — execute() is permissionless on base OpenZeppelin implementation
2.Oracle trust chain (MinimalForwarder → PositionKeeper → Keeper → KiloPriceFeed.setPrices()) relies on unvalidated caller permissions at forwarder level
3.Core smart contracts are NOT open-source — no community security review possible beyond hired auditors
4.None of the 5 pre-TGE audits specifically audited the MinimalForwarder-Keeper-Oracle call chain interaction
5.Multi-chain deployment (6 chains) means a single vulnerability in shared contract architecture is exploitable across all chains simultaneously

Collapse Scenarios

Trusted Forwarder Oracle Price Injection

Elevated

Trigger

Attacker discovers MinimalForwarder execute() has no access control validation, enabling arbitrary oracle price injection through the keeper trust chain across all deployed chains.

Cascade

Attacker analyzes oracle trust chain and identifies that MinimalForwarder.execute() can be called by any address→Attacker can craft calldata that traverses MinimalForwarder → PositionKeeper → Keeper → KiloPriceFeed.setPrices() with malicious prices

Attacker opens a large leveraged position just before injecting manipulated price→Position is opened at real market price; attacker is now positioned to profit from the manipulation

Attacker injects extreme oracle price (e.g., ETH price set to 10x actual), instantly placing position in massive profit→Protocol calculates enormous unrealized profit for attacker's position; allows closeout at manipulated price

Attacker repeats across all 6 chains before team can pause→Both Buffer and Base Pool drained on all chains; LP depositors face total loss; KILO token (at TGE) crashes to zero

Historical Precedent

EIP-2771 trusted forwarder vulnerabilities have been exploited before (e.g., Multicoin wallet exploit, various DEX aggregator front-ends). Integrating the forwarder into an oracle trust chain amplifies the impact enormously.

Buffer Pool Depletion in Sustained Bull Market

Moderate

Trigger

Sustained directional market (bull or bear) results in prolonged trader profitability, draining the Buffer Pool and then exposing Base Pool LPs to direct loss.

Cascade

ETH or BTC enters sustained trending move; majority of leveraged traders profit→Buffer Pool absorbs initial trader P&L; Buffer balance declines week-over-week

Buffer Pool depleted after 2-4 weeks of sustained directional movement→Losses now reach Base Pool LPs directly; vault APY turns negative

LPs attempt to withdraw; 3-day epoch withdrawal cycle creates queue→Withdrawal queue builds; information asymmetry between sophisticated traders (who exit first) and retail LPs

Base Pool depleted below minimum threshold; protocol in insolvency→LP funds partially lost; protocol reputation destroyed; KILO token collapses

Historical Precedent

GMX V1 experienced 'GLP farming' strategies where sophisticated traders systematically profited from predictable LP positions. Peer-to-pool models face structural profitability challenges in trending markets.

See how today's protocols score

The same 8-dimension rubric applied to 672+ live protocols.

View Leaderboard All Backtests