I'm an intermediate-level hobby Web3 developer reaching out for a little bit of help in regards to security, which is something that I am trying to learn more about. Recently, a project that I have newly joined to help contribute to, had the ownership of their contract hacked, and switched. I am seeking a little bit of guidance about the malicious ownership transfer, and trying to determine if the contract ownership implementation is secure or if the vulnerability came from outside the contract. I understand this isn't a full audit but I just want to seek some help if there is a flaw in their contract that allowed this to happen, so that I may help them fix the issue.
I greatly appreciated any help with pointing me in the direction of the vulnerability, which I don't see or am missing, and if one doesn't exist then at least we know that something else led to the transfer of ownership.
I looked into contract. There is nothing wrong with the contract. It is derived from ownable and no one can transfer the ownership other than owner. Also as you see from the transaction, it has come from the owner.
So if the owner is not malicious, his private key might be compromised.
Interestingly the previous owner, still owns 24 NFTs which are 8.5% of total. So it doesn't look like his account is compromised. Is this a rug pull?