A malicious operator can exploit Zora by creating a custom ERC20 token that triggers external marketplace interactions during transfer.

I remember the day I decided to resell my NFT on Foundation like it was yesterday. The piece was a rare digital sculpture by a once-respected creator. I’d purchased it months earlier for a nice amount, believing in the artwork’s long-term value. It had since appreciated, and I was excited to finally cash in. But when the time came, I found myself in a baffling position: I got nothing. Not a single ETH. Not one wei. All the proceeds slipped right through my hands and into the creator’s wallet.

A critical vulnerability was identified in both Async Art’s NFTAuction and SuperRare’s SuperRareAuctionHouse contracts. The former had approximately ~30k at risk, while the latter faced a potential loss of ~430k. Funds in both protocols remain secure. I reached out to Async through Discord and SuperRare via the SEAL 911 service.