Hundreds of NFTs were stolen in the TreasureDAO exploit, conducted through a series of transactions. The attackers were able to exploit a bug in the protocol that enabled them to mint NFTs for free. Soon after, the platform urged its users to delist their non-fungible tokens from the marketplace.
In yet another major blow to the NFT industry, the latest project to have fallen victim to a massive beach is – TreasureDAO – the biggest NFT marketplace on the layer 2 protocol, the Arbitrum.
According to the data by blockchain security and data analytics company Peckshield, more than 100 NFTs were swiped. The hack was due to “a bug in distinguishing ERC721 and ERC1155 in buyItem(), which mis-calculates the price of ERC721 as ERC1155 with the (untrusted) given 0 quantity.”
The full extent of the damage is still unclear, however, several social media posts suggest that one of the addresses used for hacking reportedly siphoned 17 Smol Brains, which happens to be popular NFTs traded on Arbitrum.
According to the prices listed on the Treasure platform, the total value of these NFTs is worth around 426.5k MAGIC – the protocol’s native token. At the current prices, the value comes to $1.4 million. Following the exploit, MAGIC crashed from $3.82 to $2.55 on March 3 before recovering to the press time price of $3.3, as per data on CoinGecko.
3/ The hack is made possible due to a bug in distinguishing ERC721 and ERC1155 in buyItem(), which mis-calculates the price of ERC721 as ERC1155 with the (untrusted) given 0 quantity. pic.twitter.com/D09lYbEmRL
— PeckShield Inc. (@peckshield) March 3, 2022
TreasureDAO’s Course of Action
While confirming the attack, Treasure DAO co-founder John Patten tweeted,
“Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit — I will personally give up all of my Smols to repair this.”
After apologizing for the hack, the developers behind TreasureDAO revealed in a Discord post that the vulnerability was the result of a previous fix, and it should have been identified earlier.
Currently, the marketplace has been frozen, and no trades are being executed. The team also clarified that the listings are safe and the code will be reviewed, after the completion of which, the marketplace will redeploy the fixes.
The devs also confirmed that the hackers had returned some stolen NFTs hours after the exploit. Additionally, TreasureDAO will also propose remuneration options for platform users who do not receive the NFTs. These options will be put forward to the community and voted on by the decentralized autonomous organization.