Decentralized exchange (DEX) KiloEx said it will compensate traders and stakers hurt by a $7.5 million exploit that temporarily shut down the platform earlier in April.

In an April 24 announcement, KiloEx said traders who had positions open while the platform was suspended would get full compensation if their losses increased or profits decreased. The platform said it would pay the difference. 

KiloEx urged traders to close their positions immediately once the platform resumes operations, as delaying could affect their profit and losses, which may then impact the compensation amount.

“Please close your position as soon as possible after the platform resumes. Compensation will be calculated based on the platform’s resume time,” KiloEx stated. 

For the platform’s Hybrid Vault stakers, KiloEx said that the stolen funds were fully reinjected into the vault. As a result, staker earnings and principal will remain unaffected. However, KiloEx said it will still provide an additional 10% annual percentage yield (APY) as a bonus for eligible stakers.

The bonus APY will be awarded to users who had funds in the vault prior to the platform’s resumption.

On April 15, KiloEx offered a 10% bounty to the hacker who stole the funds from the platform. The DEX said that the hacker could keep $750,000 as a white hat bounty if they decided to return 90% of the stolen funds. The platform threatened to expose the hacker’s identity and take legal action if they did not comply. 

Shortly after, security platforms flagged transactions indicating that the KiloEx hacker returned the stolen funds. On April 18, the DEX said it would withdraw all legal action against the hacker and reward them with a 10% white hat bounty. 

KiloEx hacker exploited a price oracle vulnerability

On April 14, KiloEx suspended its platform after containing the exploit that led to the $7.5 million in losses. Security firm PeckShield said the attacker likely exploited a price oracle vulnerability that allowed them to inflate the prices to gain more profit than they should have. 

In a post-mortem published by KiloEx, the platform confirmed that the attacker exploited a permissionless function. The DEX said the attacker crafted a request that only authorized entities should have been able to do. 

Using this, the attacker opened a position at an “artificially low price.” This was followed by closing the position at a higher price, providing illegitimate profit to the attacker.