Today (7/12), at approximately 4:30 PM PT, we were made aware of a potential exploit in the 0x v2.0 Exchange contract by a third-party security researcher samczsun. This vulnerability would allow an attacker to fill certain orders with invalid signatures. This vulnerability does not affect the ZRX token contract; your digital assets are safe.



After verifying the vulnerability internally at 0x and out of an abundance of caution, we have used the AssetProxyOwner contract to shut down the v2.0 Exchange and all AssetProxy contracts to prevent this vulnerability from being exploited. The contracts were shut down at approximately 7:45 PM PT. To the best of our knowledge, no one has exploited this vulnerability and no user funds have been lost. Unfortunately, this also means the currently deployed 0x contracts cannot process trades and are unable to be used.



A patched version of the Exchange contract — that we are confident fixes this vulnerability — and new AssetProxy contracts are being deployed to the Ethereum mainnet and we expect them to be ready to use later tonight.

Exploit Description

We are doing our best to verify that other smart contracts are not vulnerable to this exploit before disclosing it publicly in a formal post-mortem.

📌 Update (07/13–10:30 PM PT):

@samczsun has provided a detailed explanation of the vulnerability here.

Immediate Next Steps

Teams will need to point to the patched and newly deployed Exchange and AssetProxy contracts as well as clear their orderbooks of outstanding orders. Users will need to reset their allowances for the new 0x AssetProxy contracts. This post will be updated with the new addresses post-deployment.

On behalf of the 0x core team, I sincerely apologize. Since the beginning, we’ve set an extremely high bar for code quality, test hygiene, and all independent security auditors that we work with. We understand the existence of a potentially critical bug deserves serious reflection. We hope to discuss this issue with the broader community in the next few days to ensure all smart contract security practices for 0x protocol are transparent, rigorous, and community-vetted.



We also want to extend our sincerest gratitude to samczsun. We continue to offer a generous bug bounty to white hat hackers and community members that identify potential vulnerabilities.



If you have any subsequent questions or just want to speak with someone from the Core Team, please do not hesitate to reach out on Discord. We will spend as much time as necessary to work through any technical issues.