Logic error, lack of buyer verification
Days in Operation:
Quixotic is the largest NFT marketplace on Optimism.
The project team announced that in a recent update to their contract, a vulnerability was present and exploited allowing a hacker to steal approved ERC-20 tokens. The exploited contract has been permanently paused, and refunds will be sent out automatically over the coming days.
End users must revoke access to Quixotic smart contract from https://revoke.cash asap.
According to SlowMist, there was a verification logic error in the contract where in the fillSellOrder function of the market contract, only the sell order is checked, but the buyer's buy order is not checked. As the outcome, the attacker can first creates a worthless NFT and then calls the fillSellOrder function to generate a sell order for this NFT, passing in the victim's address and the token that the user has approved to the market, to steal the user's approved assets.
The hacker has stolen about 220,000 OP, and then exchanged it for USDC and cross-chain to the BNB chain, and then swapped it to BNB and transferred it to Tornado.Cash. Boesin reported that an aggregated of 847 BNB was taken.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.