According to preliminary analysis by the SlowMist security team, this vulnerability fundamentally stems from excessive owner privileges. In the ERC721R sample contract, the owner can use the setRefundAddress function to arbitrarily set the address that receives refunded NFTs from users. When this refund address holds the target NFT, it can repeatedly call the refund function to drain the funds locked by users in the contract. Additionally, the sample contract contains an ownerMint function, allowing the owner to mint new NFTs even before the total supply cap is reached. Therefore, the current implementation of ERC721R only prevents honest mistakes but cannot stop malicious actors.
The SlowMist security team advises users to conduct thorough risk assessments when participating in NFT mints, regardless of whether projects adopt ERC721R or not.




