TreasureDAO Exploited – more than 100 NFTs stolen
It is yet another blow to the NFT industry after TreasureDAO’s recent hack that saw over 100 NFTs stolen.
Through a tweet, the data analytics and blockchain security company Peckshield explained how the hackers were able to exploit a bug in the protocol and minted free NFTs.
2/ To illustrate, we use the above hack tx and show the key steps below:
1. Call buyItem() with valid NFT token and NFT ID, but w/ invalid ZERO quantity
2. Treasure Marketplace sells the NFT but charges ZERO MAGIC (due to ZERO quantity) pic.twitter.com/OXGAHTtnZ2— PeckShield Inc. (@peckshield) March 3, 2022
Following the hack, TreasureDAO developers have asked their platform users to delist all their NFTs from the Marketplace for safety. They went ahead to also explain the hack was carried suggesting that the platform was made vulnerable by a previous fix on the platform. They noted that this should have been identified earlier and necessary measures put in place to prevent future attacks.
Treasure DAO co-founder, John Patten confirmed this in a tweet saying:
“Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit — I will personally give up all of my Smols to repair this.”
The extent of the damage caused
Although the extent of the damage is not yet established, some social media post reveals that one of the addresses siphoned 17 Smol Brains, popular NFTs traded on Arbitrum, was being used during the attack.
4/ Here is the hack flow of some stolen NFTs from one hacker. Please delist your smols from @Treasure_DAO marketplace pic.twitter.com/9axjKxhdIr
— PeckShield Inc. (@peckshield) March 3, 2022
Currently, the TreasureDAO marketplace is under lockdown with no trades being carried out until further notice. The team said that the listings are safe now but they will have to review the codes and redeploy the fixes on the marketplace.
There are also reports that the hackers have returned some NFTs.
The platform has said that the users who will not receive their NFTs back will be compensated, although the issue of compensation needs to be first taken before the community and voted on by the decentralized autonomous organization (DAO)
According to the prices listed on the Treasure platform, the worth of the stolen NFTs is around 426.5K MAGIC (protocol’s native token, which had crashed from $3.82 TO $2.55 at the time of writing following the attack).