Pretty impressed by the 0x vulnerability, the details are assembly heavy, but for anyone interested, this is what the vulnerability is in a nutshell:
-
The vulnerability is inside the function related to trading. During this process 0x needs to verify a signature is valid before allowing trading to happen. The verification logic basically takes in some data and returns true if it is verified.
-
In this verification process the output value overwrites the input value, and then the return value is determined by loading the first 32 bytes into a boolean. But if no value is returned, the overwriting did not happen, the output remains the same as the input value, in this case, if the first 32 bytes was loaded into a boolean, it will return true.
For details, check this out: