The ASCII Mark field on contract creation page does not gets sanilized thus leading to injecting malicious scripts which can lead to users wallet drain and stealing authorization token.
The workflow works in below steps:
- User creates a contract with script injected into ascii mark field and deploy the contract
- Add other users wallet as admin for the contract through settings.
- The script executes when the target user visits the contract page or directly access the contract url.
This bug can be used to target other contract deployers or artist.