Blockchain security firm CertiK has issued an urgent warning after detecting a suspicious transaction that points to a new, highly sophisticated attack method exploiting vulnerabilities in NFT marketplaces.
The exploit involves the use of a 0-fee flash loan, an uncollateralized loan that must be repaid within the same transaction, to exploit smart contract weaknesses.
At the heart of the vulnerability are flaws in how the NFT marketplace uses delegatecall functions and processes makeOffer and acceptOffer actions.
These loopholes allowed the attacker to gain temporary control of assets, carry out unauthorized transfers, and repay the flash loan, all within a single block, making the attack nearly undetectable in real-time.
Inside the Exploit: Flash Loans and Delegatecall Manipulation
The attacker’s strategy was executed through a series of intricate smart contract interactions that demonstrate a deep understanding of DeFi and NFT protocols.
Using the liquidity obtained from the 0% fee flash loan, the exploiter targeted critical design flaws in the marketplace’s smart contracts.
The exploit leveraged delegatecall, a powerful function that executes external code within the context of the calling contract, allowing the attacker to manipulate core logic without changing ownership or permissions on-chain.
By exploiting weaknesses in how offers were created and accepted, namely, insufficient validation checks, the attacker orchestrated malicious asset transfers.
Crucially, all actions were completed and rolled back within the same transaction, leaving minimal evidence and avoiding triggering automated security alerts.
Also Read: DEXX Hack Confirmed as External Breach with Response Efforts While Compensation Efforts Earn Praise
Structural Vulnerabilities Exposed Despite No Immediate Losses
While no direct financial losses have been reported yet, CertiK emphasized the structural vulnerabilities exposed by the attempted exploit.
The firm warned that similar flaws could exist in other NFT marketplaces, particularly those using delegated offer and acceptance mechanisms.
Key issues include poor access control, lack of reentrancy protection, and unverified user input, factors that open the door for sophisticated exploits.
CertiK advised all DeFi and NFT projects to conduct urgent audits of their smart contract infrastructure, with a specific focus on securing functions that handle asset ownership, offer logic, and external contract execution.
The absence of losses this time should not be seen as reassurance, but rather as a lucky escape and a wake-up call.
Security Community Reacts and Calls for Industry Vigilance
CertiK’s findings have sparked concern across the broader crypto community. The firm reposted the alert via its CertikAIAgent account on X (formerly Twitter), including a link to the attack transaction on PolygonScan for full public visibility.
Developers, auditors, and marketplace operators have been urged to take immediate security precautions, especially around flash loan integrations and smart contract permissions.
As NFT marketplaces become increasingly complex and interconnected with DeFi, vulnerabilities like this could lead to large-scale losses if left unaddressed.
The incident highlights the urgent need for proactive security updates and real-time monitoring tools to catch advanced threats before they are executed on-chain.
Also Read: North Korea’s Lazarus Hacker Group Deposits 400 $ETH (~$750K) into Tornado Cash
CertiK’s Broader Findings Underscore Ongoing Crypto Security Risks
This is not the first time CertiK has uncovered critical vulnerabilities in the crypto ecosystem.
The firm recently confirmed that a major hack on Solana-based DEXX was due to poor private key management, resulting in tens of millions in losses.
Further investigations revealed that an external breach involving the ZenTao platform enabled hackers to evade traceability, limiting the recovery of stolen funds.
Despite a significant drop in overall crypto-related losses in March, down to $28.8 million from $1.5 billion in February, the sector remains vulnerable.
CertiK’s continuous warnings and discoveries stress the need for layered, adaptive security measures as hackers evolve and innovate new methods to exploit both old and emerging platforms.
Also Read: BNB Chain-Based Four.Meme Suffers Security Breach Of $200K As Crypto Hacks Continue
