The vulnerability impacted users who had approved the Ember Sword NFT contract, enabling attackers to receive approximately 60 WETH. Certik has recommended that users withdraw their approval of the relevant contract on the Polygon blockchain as soon as possible.
An unverified Ember Sword NFT auction contract was exploited, resulting in a profit of 60 WETH (~$195K).
By exploiting its uninitialized state, the attacker claimed the owner role and purchased fake NFTs using victims’ approved allowances.
— CertiK Alert (@CertiKAlert) April 28, 2024
The vulnerability in the Ember Sword NFT contract allowed scammers to manipulate rates and withdraw funds from service clients. According to Certik, this vulnerability appears to be caused by a bug in the Ember Sword NFT auction contract’s code.
Scammers took advantage of this vulnerability by placing fraudulent bets that would cover real user bets, allowing them to win auctions at a reduced price. Subsequently, they would sell the NFT at a higher price, profiting from the price difference.
Certik had previously reported a significant increase in financial losses among digital asset holders due to the compromise of private crypto keys.