Security Breaches in DeFi Platforms
Two prominent decentralized finance (DeFi) platforms have encountered severe security issues this week, leading to cumulative losses exceeding $12 million. On April 15, ZKsync reported that a breach involving a compromised admin account allowed a hacker to mint $5 million in unclaimed airdrop tokens. Simultaneously, KiloEx revealed an earlier incident where it was targeted through a price oracle vulnerability, resulting in a theft of $7.5 million. Both platforms have reassured users that their funds remain secure while they work on coordinated recovery efforts.
KiloEx’s Response to the Exploit
In a unique response to the $7.5 million exploit on April 14, KiloEx has publicly reached out to the perpetrator, offering a 10% bounty—in this case, $750,000—as a last chance for the hacker to return the stolen assets. The exchange is facing intense scrutiny from its users and partners, compelling it to communicate a clear ultimatum to the hacker: refund 90% of the pilfered funds or confront potential legal repercussions.
The exploit was uncovered by cybersecurity experts including PeckShield, who discovered that a price oracle issue had been manipulated, enabling the attacker to falsify the asset values, thereby draining substantial amounts.
The hacker extracted funds amounting to approximately $3.3 million from the Base network, $3.1 million from opBNB, and around $1 million from the Binance Smart Chain, leading to a total theft of $7.5 million in digital currency.
Following the breach, KiloEx promptly suspended its operations to mitigate the damage. The platform assured that the security threat had been contained and the exploit was isolated from future risks. However, the incident has tarnished its reputation and financial status.
In a follow-up statement, KiloEx outlined a white hat bounty program, encouraging the hacker to return the assets peacefully. This form of appeal is becoming more common in the aftermath of DeFi security breaches, as seen in other instances where these negotiations have led to the recovery of stolen funds.
KiloEx disclosed the wallet addresses associated with the attacker and indicated that these are being monitored actively with the involvement of law enforcement and cybersecurity teams. The exchange warned that they are poised to freeze any misappropriated funds if any transactions are detected. The ultimatum to the hacker emphasized urgency, stating that failure to cooperate would compel the exchange to escalate the situation legally, including unveiling the hacker’s identity.
The communication avenue for the hacker was presented via KiloEx’s official email or an anonymous on-chain message to facilitate discrete negotiations, should the hacker wish to respond.
ZKsync’s Breach and Its Consequences
ZKsync, on the other hand, confirmed the exploit of its admin account on April 15, leading to the unauthorized minting of $5 million in unclaimed tokens. This incident, while isolated from user funds at large, has nevertheless raised concerns about the upcoming token distribution and overall security practices within the platform.
This specific breach brought into question the security frameworks governing airdrop contracts, as the compromised admin account was designed only for logistical management. The hacker leveraged a function named sweepUnclaimed to mint an excessive quantity of ZK tokens, compromising the contract’s integrity and raising questions about the platform’s internal safeguards.
ZKsync insists that the exploit was limited and took immediate action to remedy the vulnerabilities exposed, collaborating with the Security Alliance (SEAL) to trace the stolen tokens while conducting an investigation into the breach’s source.
Despite the lack of an official bounty from ZKsync at this stage, the protocol is under pressure to regain investor confidence, particularly as its current airdrop campaign is critical to attracting new users into its ecosystem, where it has over $59 million locked in value.
The implications of these breaches on ZKsync’s ability to perform its token drop, initially meant to reward early users and liquidity providers, are significant. Following the announcement of the incident, the ZK token saw a drastic drop in value, falling 16%, though it has somewhat rebounded since, reflecting the market’s wary sentiment.
Broader Trends in DeFi Security
These developments are part of a broader trend—2025 has witnessed a staggering $2 billion lost to crypto hacks in just the first quarter, nearing the entire amount lost in 2024. This highlights an urgent need for improved security measures, including more robust admin protections across DeFi protocols as vulnerabilities continue to expand in this rapidly evolving landscape.
