Note: This was reported to Zora but the contract in question is depreciated. Link to the report.TLDR Zora’s built-in NFT marketplace lets operators accept bids using any ERC20 token. A malicious operator can exploit this by creating a custom ERC20 token that triggers external marketplace interactions during transfer. This allows the operator to sell an NFT to a buyer on another marketplace legitimately, then immediately steal the NFT back using Zora’s transfer logic, leaving the buyer empty-h...

Note: This was reported to Zora but the contract in question is depreciated. Link to the report.TLDR Zora’s built-in NFT marketplace lets operators accept bids using any ERC20 token. A malicious operator can exploit this by creating a custom ERC20 token that triggers external marketplace interactions during transfer. This allows the operator to sell an NFT to a buyer on another marketplace legitimately, then immediately steal the NFT back using Zora’s transfer logic, leaving the buyer empty-h...