1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up..
2/4 I tried the exploit out. I created a loan using USDC (100 USD). From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD.
3/4 After a while the admin I was talking to told me that he finally got a hold of the team and was passing the info I was giving them through to them. At this point the attacker I noticed had drained substantial amounts of Dai and USDC
4/4 BzX did an emergency stop and paused the contracts. I am currently awaiting my bounty as it has to go through “independent board” who will decide if it will be granted to me. Since BRZX already made a post mortem report on this I figured it share here what actually happened
5/4 I am highly convinced that the complete pool could have been drained if the attacker had a bit more time.
6/4 the reason I am tweeting this is not to slander BZX but far too often teams do not pay out their bounties even though in this scenario the amount at risk was very substantial. (Will update here when I hear more about my bounty claim)
7/4 one of the founders just mentioned on telegram that the "recommendation" from their independent security panel was a 12.5k bounty. Now I don't want to be greedy but this number is a lot different from what they listed in their relaunch blog last month @rleshner
8/4 Bzx just mentioned on a call it doesn’t feel like it’s worth more than 12.5k as their “independent” panel decided to and they feel like sticking to it. They are not willing to disclose identities of the panel. Really disappointed in BZX.
9/4 BZX decided to higher the bounty and paid me out. I was just paid $45.000 in USDC. Happy to come to a conclusion. I wish the team all the best with their platform and hope that they will incentivise bounty hunters to keep finding bugs.
10/10 Thanks everyone for the support! This tweet was read 200.000 times and shared more than 200 times. I got a lot of support messages both here and on telegram which I appreciate so much. See you next time!

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Marc Thalen

Marc Thalen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!