Per the announcement, third-party security researcher samczsun warned the 0x team about the vulnerability in the exchange smart contract and, after evaluating it, the team suspended the exchange’s contract and the AssetProxy contracts.
The vulnerability would have allowed an attacker to fill certain orders with invalid signatures. The announcement reassures that one has exploited this vulnerability and no users have lost their funds. The only consequence is apparently a temporary suspension of the service:
“Unfortunately, this also means the currently deployed 0x contracts cannot process trades and are unable to be used. A patched version of the Exchange contract — that we are confident fixes this vulnerability — and new AssetProxy contracts are being deployed to the Ethereum mainnet and we expect them to be ready to use later tonight.”
Lastly, the team notes that the vulnerability is not contained in its ZRX token contract and that user funds are safe. They thanked the security researchers while inviting other white hat hackers to participate in 0x’s bug bounty program: