1inch Exchange, the leading DEX aggregator in DeFi, accused bZx of withholding information on a bug that put $2.5 million of user funds at risk. bZx hit back, claiming they patched the bug and were ready to disclose it, only to be slandered.
In an unforeseen turn of events, the team behind DeFi’s leading DEX aggregator has disclosed an incident from January 2020, where bZx’s then-recent implementation of flash loans put $2.5 million of funds at risk.
At that time, the 1inch team discovered a bug in a contract recently deployed by bZx. The lending protocol took four hours to remedy the situation, to 1inch’s discontent. Removing the bug was subject to the bZx smart contract’s 12-hour timelock.
Co-founder Anton Bukov made the following comment, “We were very concerned about the hole in their mainnet which existed for 16 hours, it’s terrible to hear for every user. We still don’t know if they had a kill-switch or not.”
This contract was less than 48 hours old, according to the DEX aggregator, causing them to fear that malicious actors would take advantage of the opportunity and steal user funds.
bZx averted a major crisis, after which they initially refused to pay 1inch a bug bounty for their work.
Both parties finally agreed on terms for a bug bounty after prolonged negotiations. bZx then asked the 1inch team to sign NDAs, which was refused.
After the two recent exploits, the DEX aggregator felt the need to go public with this information.