Odaily News KiloEx released a root cause analysis report on the hacking incident on April 21. The report pointed out that the cause of the incident was that the TrustedForwarder contract in its smart contract inherited OpenZeppelin's MinimalForwarderUpgradeable but did not rewrite the execute method, causing the function to be called arbitrarily. The attack occurred between 18:52 and 19:40 (UTC) on April 14, and the attacker deployed malicious contracts on opBNB, Base, BSC, Taiko, B2 and Manta chains to launch the attack.
After negotiation between KiloEx and the attacker, the attacker agreed to keep 10% as a bounty, and the remaining assets (including USDT, USDC, ETH, BNB, WBTC and DAI) have all been returned to the project's multi-signature wallet. The platform has completed the vulnerability repair and resumed operations.