- The bZx attack incident has taken a new turn. 1inch.exchange, claims that bZx fulcrum protocol had a security issue that could cost USD 2.5 million.
- 1inch.exchange also revealed that it offered to perform a white hat hack to test the vulnerability.
- Kyle Kistner, a representative from bZx, offered 1inch.exchange the bounty with an NDA, which they refused.
The bZx attack incident has taken a new turn. 1inch.exchange, which is a decentralized exchange aggregator, claims that bZx fulcrum protocol had a security issue that could cost USD 2.5 million. However, bZx failed to inform the users about this vulnerability.
The case goes back to January 11 when bZx’s lending and margin trading system, Fulcrum, launched the flash loan feature. According to 1inch.exchange, they discovered that $2.5M of user funds from 3 pools could be stolen with a single hack.
The information about this vulnerability was made public less than 48-hours ago. This meant that the attacker could have exploited it.
1inch.exchange also revealed that it offered to perform a white hat hack to test the vulnerability. They tested the vulnerability by transferring one weiDAI (0.000000000000000001 DAI) through a couple of transactions. After confirming the security lapse, they contacted Fulcrum regarding this issue.
1inch.exchange further added, “It took nearly 4 hours for the Fulcrum team to manage the issue, and we got no details from them regarding the progress.” Additionally, the deployment of the fix took 12 more hours.
Mainly because of a special system upgrade timelock in the smart contract. This meant anyone could have stolen USD 2.5 million worth of assets during these 16 hours.
On getting informed about the vulnerability, bZx denied the bug-finding bounty that 1inch.exchange should have received. To make matters worse, bZx tried to silence 1inch.exchange by offering USD 3,500.
Recently, Fulcrum has even accused 1inch.exchange of performing the recent hacks. However, bZx representatives have stated that 1inch.exchange is telling only half the story. 1inch.exchange broke their disclosure policy by publishing the exploit. Still, bZx offered the bounty for helping them.
Kyle Kistner, a representative from bZx, offered 1inch.exchange the bounty with an NDA, which they refused. To put it, Kistner suggests that 1inch.exchange was trying to extort money from them.
Kistner accepted that they suspected that 1inch.exchange could behind the hacks. They had a motive and technical skills. However, bZx doesn’t think that 1inch.exchange would do such a thing.