bZx attacks and 1inch.exchange allegations: Here’s what the teams have to say

There is now a new twist to the bZx attacks saga.

1inch.exchange, a decentralized exchange (DEX) aggregator, has alleged that it found a $2.5 million worth of vulnerability in bZx's Fulcrum lending protocol over a month ago, but bZx didn't inform users. 

It all started on January 11 when bZx's lending and margin trading platform Fulcrum released flash loans feature, said 1inch.exchange in a Medium blog post published Friday. "We discovered that $2.5M of user funds from 3 pools could be stolen within a single transaction."

The vulnerability had been published for less than 48 hours when 1inch.exchange discovered it, so there was "a very high chance malicious attackers could exploit it."

1inch.exchange went on to explain that it was prepared to perform a white-hat hack to protect user funds and even tested the vulnerability by transferring only one weiDAI (0.000000000000000001 DAI) in two separate transactions. It then reached out to the Fulcrum team to disclose the vulnerability. 

"It took nearly 4 hours for the Fulcrum team to manage the issue, and we got no details from the team about the progress. Additionally, the deployment of the fix took another 12 HOURS, because of special system upgrade timelock in the smart contract. So there were 16 hours during which anyone could steal $2.5M," said 1inch.exchange.

Since 1inch.exchange found the vulnerability, the firm says it requested bounty from the bZx team, but "they basically tried to deny us any bounty reward." 

 1inch.exchange further said that the Fulcrum team finally "tried to use the $3.5k to silence us and hide the whole thing."

"On top of all, the Fulcrum team started accusing us of the recent exploits," said 1inch.exchange. bZX lost around $943,000 in ether (ETH) in two attacks last week.  

One-sided story? 

bZx co-founder Kyle Kistner told The Block that the blog post by 1inch.exchange is one-sided. "We agreed to pay them a bounty even though they violated our disclosure policy by publishing the vulnerability to the public. This was an act of good faith," said Kistner. 

"We told them we were writing a post-mortem and scheduling it for the end of Feb. Industry standard responsible disclosure guidelines give 90 days for disclosure (ex. Google, Microsoft, etc. follow these guidelines). We were asking them to sign an NDA [non-disclosure agreement] because they seemed keen on extorting us," Kistner added.

1inch.exchange did not sign any NDA, per the blog post. 

But why did it publish the blog post today? "Since they [bZx] had 2 breaches recently we were pretty sure they will not publish anything [disclosure of the vulnerability] in Feb," Anton Bukov, co-founder of 1inch.exchange, told The Block. 

Kistner believes that it is "a pretty deep violation" by 1inch.exchange to post the blog post for the purpose of bug bounties.

Bukov, however, told The Block that "Money is not such matter for us. We are not sure they are going to pay. People just lost $750k in 2 latest attacks. Do you think we should care about $5k?"

1inch.exchange apparently initially demanded a bounty of closer to $40,000, Kistner told The Block. When asked if bZx will now pay 1inch.exchange the bounty, Kistner said: "This possibly changes things. We haven't made a decision to not pay them at this time however." 

Kistner notably also said that bZx did in passing suspect 1inch.exchange as the hacker of its latest attacks, "because they have motive and the technical skills but in the end we do not believe them to be behind the attack."