According to Foresight News, Chainbase DevRel Masterdai has identified a security flaw in the INSC contract. In a tweet, Masterdai explained that the 'approve' function should only allow the current NFT owner or authorized users to set approval for a specific 'tokenId'. However, when the 'nft2ft' status flag is set to 'false', the contract erroneously calls the internal function 'ERC721._approve' instead of the correct 'approve' function. This results in the bypassing of owner authentication, which Masterdai believes is due to the developers accidentally adding an extra underscore '_' in the code, leading to this significant permission verification vulnerability.