According to Bored Ape Yacht Club, the minting smart contract for the world's largest NFT pool, owners of wallets tied to the contract are currently able to mint an unlimited number of NFT shards.

"Loophole"

As the "reserveApes" feature in the contract suggests, it is supposed to "put some boring apes aside", but in reality, it allows casting 30 apes at a time without even paying the 0.08 ETH network fee. But the main problem is that this feature allows unlimited casting of collectibles.

The code is more likely to accidentally "stay open" and there should be another function that prevents the owner from repeating the "reserveApes" function. As the data on the chain shows, the account ending with "EE4D03" is still active and can cast more apes.

In addition to features that may destroy the floor price of the entire collection, the wallet also has the right to change the metadata associated with each existing irreplaceable token in the collection.

This can be resolved by 0xaBA7161A7fb69c88e16ED9f455CE62B791EE4D03 calling the function to relinquish ownership, and it is recommended that the BAYC community push anyone to do so as soon as possible.

— Suzuha (@dystopiabreaker) February 3, 2022

However, although exploits still exist in the code, it is still possible to avoid unpleasant situations by calling the function to relinquish ownership.

The NFT industry is going through tough times

Previously, there were many NFT-related attacks in the space of OpenSea, the largest NFT marketplace, which faced technical problems with their API that allowed users to buy and sell non-substitutes at cheaper prices and then sell them at market prices.

The hacker later used the vulnerability again to successfully steal eight NFTs from the market. The stolen pieces were associated with collections such as Cool Cat and Bored Ape Yacht Club. The hacker's wallet was valued at $117,000.