The 0x project disclosed a potential exploit in its Exchange contract that was discovered by 3rd party security researcher Sam Sun. The Exchange contract contains most of the business logic within the 0x protocol, including filling and cancelling orders, executing transactions, validating signatures and registering new contracts in the system.
According to CEO and co-founder of 0x Will Warren in a note, "This vulnerability would allow an attacker to fill certain orders with invalid signatures. This vulnerability does not effect the ZRX token contract; your digital assets are safe." However, as a precaution, 0x shut down the Exchange contract and Asset Proxy contracts responsible for performing asset transfers on the 0x protocol.
The 0x team deployed patched Exchange and Asset Proxy contracts overnight and instructed teams working with the 0x protocol to point to these new contracts and also clear their orderbooks of outstanding orders. Users are instructed to reset allowances for the new 0x Asset Proxy contracts.
Warren indicated that the 0x team will issue a post-mortem once it is certain that no other smart contracts are at risk due to the discovered exploit. He also thanked Sam Sun for discovering the bug, pointing out that 0x offers generous bug bounties to white hat hackers and community members who discover potential vulnerabilities. Warren promised a community dialogue in the next few days after "serious reflection" to ensure 0x protocol smart contract security practices are "transparent, rigorous and community-vetted."