1/4 Last night I found an exploit in BRZX. I noticed that a user were capable of duplicating “i tokens”. There was 20+ million $ at risk. I informed the team telling them to stop the protocol and explained the exploit to them. At this point none of the founders were up..
2/4 I tried the exploit out. I created a loan using USDC (100 USD). From this I retrieved iUSDC. I then sent this to myself practically duplicating the funds. I then created a claim for 200 USD.
3/4 After a while the admin I was talking to told me that he finally got a hold of the team and was passing the info I was giving them through to them. At this point the attacker I noticed had drained substantial amounts of Dai and USDC
4/4 BzX did an emergency stop and paused the contracts. I am currently awaiting my bounty as it has to go through “independent board” who will decide if it will be granted to me. Since BRZX already made a post mortem report on this I figured it share here what actually happened
5/4 I am highly convinced that the complete pool could have been drained if the attacker had a bit more time.
6/4 the reason I am tweeting this is not to slander BZX but far too often teams do not pay out their bounties even though in this scenario the amount at risk was very substantial. (Will update here when I hear more about my bounty claim)
7/4 one of the founders just mentioned on telegram that the "recommendation" from their independent security panel was a 12.5k bounty. Now I don't want to be greedy but this number is a lot different from what they listed in their relaunch blog last month @rleshner
8/4 Bzx just mentioned on a call it doesn’t feel like it’s worth more than 12.5k as their “independent” panel decided to and they feel like sticking to it. They are not willing to disclose identities of the panel. Really disappointed in BZX.
9/4 BZX decided to higher the bounty and paid me out. I was just paid $45.000 in USDC. Happy to come to a conclusion. I wish the team all the best with their platform and hope that they will incentivise bounty hunters to keep finding bugs.
10/10 Thanks everyone for the support! This tweet was read 200.000 times and shared more than 200 times. I got a lot of support messages both here and on telegram which I appreciate so much. See you next time!
You can follow @MarcThalen.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more