bZx attacker returns over $8 million in exploited funds

The bZx team was able to track down the individual who allegedly exploited the platform for $8.1 million on September 13.

https://twitter.com/bZxHQ/status/1305496675474006017

bZx was able to identify the attacker by tracing their on-chain activity. Upon being identified, the attacker returned the funds to bZx. Although the hacker has been identified and the funds have been returned, the bZx team refuses to reveal the attacker’s identity for legal reasons.

The bZx bug bounty

In addition to the attacker returning funds, there was a significant amount of trouble between the bZx team, and the lead engineer at Bitcoin.com, Marc Thalen, the individual who reported the attack vector to bZx before the $8.1 million exploit took place.

At the time of the attack, Thalen posted on Twitter, creating a paper trail of evidence that proves that he was the individual who identified the bug in bZx protocol. Thalen says he created the paper trail because, “far too often teams do not pay out their bounties even though in this scenario the amount at risk was very substantial.”

And just as Thalen expected, he had trouble when it came to receiving a proper payout for identifying the bug. bZx told Thalen that their “independent security panel” reviewed Thalen’s submission and determined that the bug he found was worth a $12,500 payout. Unfortunately, that number does not resemble the numbers that bZx has listed on their bug bounty payout schedule considering how severe the bug Thalen found turned out to be and the impact the bug had on bZx.

7/4 one of the founders just mentioned on telegram that the "recommendation" from their independent security panel was a 12.5k bounty. Now I don't want to be greedy but this number is a lot different from what they listed in their relaunch blog last month @rleshner pic.twitter.com/bbGaRK1DJm

— 0xCommodity (@0xCommodity) September 14, 2020

“bZx just mentioned on a call it doesn’t feel like it’s worth more than 12.5k as their “independent” panel decided to and they feel like sticking to it. They are not willing to disclose identities of the panel,” said Thalen. “[I’m] really disappointed in bZx.”

But after voicing his thoughts on the bounty payment, continuing the paper trail on Twitter, and a phone call with bZx, the independent security panel decided to pay Thalen a more appropriate sum of $45,000.

“BZX decided to higher the bounty and paid me out,” said Thalen. “I was just paid $45.000 in USDC. Happy to come to a conclusion. I wish the team all the best with their platform and hope that they will incentivise bounty hunters to keep finding bugs.”