TechFlow news — According to preliminary analysis by the SlowMist security team, the ERC721R example contract contains a flaw that could allow project owners to exploit it for a Rug Pull. The core issue stems from excessive owner privileges: within the ERC721R example contract, the owner can use the setRefundAddress function to arbitrarily designate the address receiving refunded NFTs.
When this refund address holds the target NFTs, the owner can repeatedly call the refund function, draining all user funds locked within the contract. Additionally, the example contract includes an ownerMint function, allowing the owner to mint new NFTs even before the total supply cap is reached. SlowMist advises users to carefully assess risks when participating in any NFT minting event, regardless of whether the project uses ERC721R or not.




