Note: The following is a fictionalized story of an out-of-scope report that I submitted to Foundation via Immunefi. The report is considered technically true but out of scope in part because of the belief that loss of reputation will prevent operators from using this exploit.
I remember the day I decided to resell my NFT on Foundation like it was yesterday. The piece was a rare digital sculpture by a once-respected creator. I’d purchased it months earlier for a nice amount, believing in the artwork’s long-term value. It had since appreciated, and I was excited to finally cash in. But when the time came, I found myself in a baffling position: I got nothing. Not a single ETH. Not one wei. All the proceeds slipped right through my hands and into the creator’s wallet.
It didn’t make sense. I was no newbie to NFTs—surely I hadn’t misunderstood something so fundamental. I had sold other NFTs before, and they’d been straightforward: I list, buyer pays, I get my cut, the creator gets their royalty. But this time, everything looked correct on the surface… until my payout never appeared. I decided to investigate. And that’s where my journey down the rabbit hole began.
Setting the Stage
After my sale closed, I waited for the transaction confirmations and the usual notifications. Except the familiar chime of incoming ETH never arrived. I checked my wallet’s balance: unchanged. Confused, I hopped onto Etherscan to follow the transaction trail. The buyer’s payment had gone through. The contract had processed the sale. The platform fees were taken out. And then, according to the transaction logs, my portion of the revenue was sent directly to the creator.
I stared at the transaction details, perplexed. Why in the world would the creator receive the entire sum from what should have been a secondary sale? Sure, creators get royalties, but not everything. Had I clicked the wrong button? Set my sale price incorrectly? I replayed the listing process in my head, but it all seemed normal.
Diving Into the Contracts
With no other leads, I turned to the code. Foundation, like many NFT marketplaces, uses smart contracts that are public on the blockchain. I knew how to look at verified code on Etherscan, so eventually I pulled up the MarketUtils contract. Browsing through the code, I found the part where the fees were calculated—the function that determined how to split the sale price between me (the seller) and the creator.
Then I saw something that made me do a double-take. There, in the logic, was a snippet that felt like a hidden booby trap:
if (creatorRecipients[i] == options.seller) {
// If the seller is any of the recipients defined, assume a primary sale
creatorRev += sellerRev;
sellerRev = 0;
}
Wait, what? This line meant that if my address—the seller’s address—appeared in the list of “creatorRecipients,” the code would treat the sale as if it were a primary sale. In a primary sale, the original creator is supposed to get almost everything less the platform fees. But I wasn’t the original creator. I was a secondary collector, trying to flip a piece on the secondary market. So why was my address popping up in that list?
A Suspicious Override Contract
I dug deeper. Foundation uses a royalty registry that allows creators to override default royalties with their own custom logic. This can be handy in a lot of legitimate scenarios—maybe a collective of artists shares revenue, or a charity receives part of the profits. But if a creator can add me, the seller, to that list of recipients, what then?
According to the code, if I’m listed as a creator recipient, the marketplace thinks it’s the first time this NFT is being sold. Suddenly, my rightful seller’s payout vanishes, merged into the creator’s pot.
As I followed the chain of contracts and calls, I discovered the culprit: the creator had registered an override contract that specifically listed my address as a “creator recipient.” That was bizarre, because I had no relationship with them. It looked like pure sabotage. And to ensure maximum mischief, they had cranked the creatorShares array so high that the code defaulted to paying only the first recipient in that list—which just so happened to be themselves.
Finding the Smoking Gun on Etherscan
I pulled up the override contract on Etherscan. It wasn’t well-known, had few interactions, and looked suspiciously like a bespoke trap. Inside, I could see the code logic specifying me as a recipient. My address, right there in black and white, lumped into the creator’s payout group.
I traced a few transactions and noticed how the contract was toggled on and off. The creator had set it up before my sale. Then, after the sale was done, they reverted to the original royalty setup. If someone came snooping later, they might never spot the scam unless they timed it just right.
To the outside world, it would appear as though the platform itself had made a deliberate decision to funnel all funds to the creator. But in reality, it was the code’s design interacting with malicious data provided by the creator’s override. Foundation’s marketplace logic had a loophole—one that let the creator manipulate a situation so that my address was treated as if I were the original artist, effectively zeroing out my cut.
A Quiet Acceptance
Armed with this information, I reached out to Foundation. I expected outrage, concern, or at the very least a swift patch. Instead, they seemed oddly unbothered. They considered the exploit “acceptable design.” According to them, the logic was working as intended: if a creator provides malicious data, that’s on the creator’s conscience, not the platform’s responsibility.
I gaped at my screen, incredulous. This was a blueprint for robbery, and they were okay with it, reasoning that a malicious creator would damage their reputation. But what about collectors like me who had just been robbed blind? Reputation damage doesn’t refill my empty wallet.
Reflections on a Harsh Lesson
As I sat back, I realized how vulnerable secondary sellers like me could be. I had stumbled into a hidden pitfall that most users probably never consider. When we trust platforms, we assume they protect both buyers and sellers from malicious actors. But in this case, the platform’s own fee logic and overrides combined into a perfect storm that let the creator siphon off what should have been my legitimate earnings.