KiloEx's summary of the hacking incident: A bug in the TrustedForwarder contract led to this attack

According to ChainCatcher's message, KiloEx stated in a post that the root cause analysis and summary of the hacking incident revealed that the incident was caused by its smart contract's TrustedForwarder contract inheriting OpenZeppelin's MinimalForwarderUpgradeable but failing to override the execute method, which allowed the function to be called arbitrarily.

The attack occurred between April 14, 18:52 and 19:40 (UTC), with the hacker deploying attack contracts across multiple chains including opBNB, Base, BSC, Taiko, B2, and Manta. After negotiations, the hacker agreed to retain 10% of the bounty and has returned all stolen assets (including USDT, USDC, ETH, BNB, WBTC, and DAI) to the multi-signature wallet designated by KiloEx.