- An exploit has been discovered in TreasureDAO.
- In a tweet today, TreasureDAO co-founder John Patten confirmed the exploit.
- TreasureDAO had earlier today advised users to “delist everything” via messages posted on its Discord server.
An exploit has been discovered in TreasureDAO, the largest marketplace for non-fungible tokens (NFTs) on the Arbitrum blockchain. In a tweet today, TreasureDAO co-founder John Patten confirmed the exploit.
He confirmed the exploit by saying that “Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit—I will personally give up all of my Smols to repair this. I cannot fathom what subhuman targets a fair launch marketplace for robbery, but they will not defeat the community.”
TreasureDAO had earlier today advised users to “delist everything” via messages posted on its Discord server. Soon after the message was posted, the marketplace had been paused. Its representatives later stated that they believed they had found the problem. The news sparked outrage among Treasure users, who took to social media to warn others.
Until now, the full scope of the exploit and which items were stolen are unknown. However, a blockchain address associated with the hacker, shared by Twitter sleuths, provides some clues. From the clue provided by his tweet, it appears that the hacker has obtained the pieces without having to pay for them.
According to the address provided by sleuths tweet, the address appears to indicate that 17 Smol Brains, possibly the most popular NFTs traded on Arbitrum, were stolen. Based on their listed prices on the Treasure platform, the total value of these pieces is 426,511.38 in MAGIC, Treasure’s native token, or around $1.4 million at current prices.
According to PeckShield the TreasureDAO was exploited in a series of txs. Out of them one hack tx was 0x37222d3ad371dff2d3f3ae1c788d1cc4ad69e9f1839776830726485119a89269. This hack tx led to 100+ NFTs stolen from several collections of Treasure Marketplace. To illustrate further the above hack tx is used and the steps are given below:
- Call buyItem() with valid NFT token and NFT ID, but w/ invalid ZERO quantity
- Treasure Marketplace sells the NFT but charges ZERO MAGIC (due to ZERO quantity)
The hack is made possible due to a bug in distinguishing ERC721 and ERC1155 in buyItem(), which mis-calculates the price of ERC721 as ERC1155 with the (untrusted) given 0 quantity.
The hack flow of some stolen NFTs from one hacker is shown in the image below. The project team is currently working to address the vulnerability and promises to provide solutions to affected users. As a result, the price of TreasureDAO’s ecological Token MAGIC fluctuated, with a 12.09% drop in a 24-hour period.