According to data from the minting smart contract of the world's biggest NFT collection, Bored Ape Yacht Club, the owner of the wallet tied to the contract is currently able to mint an infinite quantity of NFT pieces.
The "vulnerability"
As the function "reserveApes" in the contract suggests, it should "Set some Bored Apes aside" but, in fact, the function allows minting of 30 apes at a time without even paying network fees of 0.08 ETH. But the main problem is that the function allows the infinite minting of the collection.
The code was more likely "left open" accidentally, and there should be another function that would prevent the "reserveApes" function from being repeated by the owner. As the on-chain data suggests, the account ending with "EE4D03" is still active and could mint more apes.
In addition to the function that could potentially ruin the floor price of the whole collection, the wallet has the authority to change the metadata tied to each existing non-fungible token within the collection.
this can be fixed by 0xaBA7161A7fb69c88e16ED9f455CE62B791EE4D03 calling the function to renounce ownership, suggest the BAYC community push whoever it is to do so, quickly.
— suzuha (@dystopiabreaker) February 3, 2022
But while the exploit still exists in the code, it is still possible to avoid an unpleasant situation by calling the function to renounce ownership.
NFT industry going through a tough period
Previously, numerous NFT-related exploits took place in the space with the biggest NFT marketplace, OpenSea, facing a technical problem with their API that allowed a user to buy and sell non-fungibles for cheaper prices and then sell them for the market price.
Later on, hackers managed to steal eight NFT pieces from the marketplace by once again exploiting the vulnerability. The stolen pieces were related to collections like Cool Cat and Bored Ape Yacht Club. The hacker's wallet was valued at $117,000.
Tomiwabold Olajide
Alex Dovbnya
Denys Serhiichuk