Security experts from CertiK discovered a critical vulnerability in the Ember Sword NFT auction contract, leading to financial losses for 159 users totaling $195,000.
We have seen an exploit on an unverified Ember Sword NFT auction contract, profiting 60 WETH (~$195K).
The exploiter took advantage of its uninitialized state to claim the owner role and purchase fake NFT with weth from 159 victims who approved allowance.
— CertiK Alert (@CertiKAlert) April 28, 2024
The vulnerability affected users who approved the Ember Sword NFT contract, allowing attackers to obtain approximately 60 WETH. Certik recommended revoking approval of the relevant contract on the Polygon blockchain as soon as possible.
The vulnerability in the Ember Sword NFT contract allowed fraudsters to manipulate bids and withdraw funds from users of the service. Certik believes the vulnerability was caused by an error in the Ember Sword NFT auction contract code.
Users are requested to immediately revoke the authorization for the contract address starting with 0x389 on the BSC chain and the contract address starting with 0x6f7 on the Polygon chain.
Fraudulent bids could override users’ legitimate bids, resulting in attackers winning auctions at lower prices. They could then sell NFTs at higher prices, profiting from the difference.