An attacker found a way to mint unbacked iTokens that they could then redeem against other cryptos held in lending pools for DeFi lender bZx.
Source: coindesk