Floor Protocol has been exploited, resulting in a variety of Bored Apes and Pudgy Penguins being stolen and stored in a wallet now flagged in connection to a phishing scam.
The NFT protocol advertises the ability to turn tokens into tradeable derivatives meant to represent fractional parts of NFTs. According to the founder of NFT marketplace Delegate, known online as ‘foobar,’ a bad contract upgrade several days ago introduced the vulnerability.
The wallet storing the stolen Bored Apes and Pudgy Penguins, 0x4d0D746E0F66bf825418E6b3deF1a46Ec3c0B847, has now been reported by ‘foobar’ for use in a phishing scam on etherscan.
Update audits missing from Floor Protocol firm’s website
Despite this commitment, the most recent update that introduced this vulnerability doesn’t seem to have been audited.
- The Halborn audit featured on Flooring Lab’s website is dated September 8, 2023 while the audit by OtterSec is dated October 4.
- Interestingly, the ‘smart_contract’ repository that OtterSec audited now returns a 404 error.
- The only repositories listed on Flooring Lab’s GitHub contain logos and config files for the website.
One of Flooring Lab’s team members announced a fix had been pushed that they “believe patched the issue.”
This exploit of Floor Protocol comes days after a major hack of NFT Trader. Dozens of high-value NFTs were stolen.