TreasureDAO NFT Market Hacked: Difference between revisions

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

TreasureDAO

TreasureDAO has a NFT marketplace running on the Arbitum blockchain. A bug existed in the smart contract marketplace hot wallet where the NFTs could be taken by specifying a "quantity" of zero, at which point a price of 0 would be calculated for the item. This was exploited to steal hundreds of NFTs.

About TreasureDAO

^[1][2][3]

"Treasure is a decentralized NFT ecosystem on Arbitrum that is built specifically for metaverse projects. Every project listed on Treasure’s marketplace utilizes MAGIC in their respective metaverses, with each community inventing its own lore and storytelling for this resource. MAGIC, the native token of Treasure, is the sole currency for marketplace transactions. In this way, MAGIC acts as the reserve currency for the entire web of metaverses connected under the Treasure umbrella."

"Treasure bridges the growing network of metaverses through an open and composable approach to the convergence of NFTs, DeFi and Gaming." "Treasure projects are linked–narratively and economically–through MAGIC. The DAO uses MAGIC emissions to grow new projects and continue supporting more mature ones."

"Cross-ecosystem ties are bolstered through our interrelated resource model; $MAGIC (Power), Treasures (NFT | Resources) and Legions (NFT | Players)"

Treasure is a decentralized NFT ecosystem on the Arbitrum network that connects various metaverse projects^[4]. The ecosystem revolves around the native token $MAGIC, which powers the NFTs and serves as the main currency for marketplace transactions^[4]. $MAGIC is crucial for the entire Treasure economy and is used by the DAO to support new and mature projects^[4]. Treasures, which are NFT resources, play a significant role in the Treasure metaverse, and Legions are physical beings that players control^[4]. The TreasureDAO governs the ecosystem and is responsible for onboarding new metaverses and making decisions through voting^[4]. The Treasure marketplace, owned by the TreasureDAO, is a fully decentralized NFT marketplace that features various NFT collections, and it takes a commission on sales to fund new projects and support the ecosystem's growth^[4]. The team is also developing the Trove NFT marketplace to cater to a wider range of NFT collections^[4].

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The Treasure DAO was hacked on March 3. An attacker discovered an exploit resulting in the loss of “more than 100 NFTs from unsuspecting users."

Technical Details

^[17]

the TreasureDAO NFT marketplace experienced an exploit that allowed hackers to purchase NFTs without spending any MAGIC tokens, resulting in the theft of 153 NFTs. The majority of the stolen NFTs belonged to the Smol Brains collection, which is the most expensive project on the platform. TreasureDAO took swift action to reimburse affected users and shut down the smart contract involved in the exploit. The exploit was discovered by NFT enthusiasts on Twitter, who identified a bug in the platform's code that allowed NFTs with a quantity value of 0 to be sold for 0 MAGIC. The incident raised concerns that the bug may have spread to other platforms that used TreasureDAO's source code. Following the news of the exploit, the native token MAGIC experienced a significant drop in value. DappRadar will continue to monitor the situation in the NFT space and provide updates.^[14]

"According to the Isotile team, a greater-than sign was missing in an important line of the code. This essentially allowed NFTs that had a quantity value of 0, to be sold for the same value of 0 MAGIC."

"The incoming _quantity parameter is not judged to be 0." "According to SlowMist analysis, the core of this vulnerability lies in the lack of judgment that the incoming _quantity parameter is not 0 before the ERC-721 standard NFT transfer, resulting in ERC -721 Standard NFT can be transferred directly and the cost of purchasing NFT is calculated as 0 when calculating the price."

“The attacker took advantage of an error in the marketplace’s Buyer.buyItem function, which allowed them to set the _quantity equal to 0,” Certik’s post mortem says. “With a quantity of 0, totalPrice is also 0, as totalPrice = _pricePerItem * _quantity. This means the attacker paid nothing for the NFTs they ‘purchased.’ As there is no requirement that _quantity > 0, the function executes normally. This bug could be resolved by requiring a greater than 0 value for the _quantity variable.”

"To illustrate, we use the above hack tx and show the key steps below: (1) Call buyItem() with valid NFT token and NFT ID, but w/ invalid ZERO quantity. (2) Treasure Marketplace sells the NFT but charges ZERO MAGIC (due to ZERO quantity)." "The hack is made possible due to a bug in distinguishing ERC721 and ERC1155 in buyItem(), which mis-calculates the price of ERC721 as ERC1155 with the (untrusted) given 0 quantity."

PeckShield Analysis

BlockChain research firm PeckShield provides an analysis of the exploit^[10].

1/ The @Treasure_DAO was exploited in a series of [transactions], leading to 100+ NFTs stolen from several collections of Treasure Marketplace.

2/ To illustrate, we use [a hack transaction] and show the key steps below:

1. Call buyItem() with valid NFT token and NFT ID, but w/ invalid ZERO quantity

2. Treasure Marketplace sells the NFT but charges ZERO MAGIC (due to ZERO quantity)

3/  The hack is made possible due to a bug in distinguishing ERC721 and ERC1155 in buyItem(), which mis-calculates the price of ERC721 as ERC1155 with the (untrusted) given 0 quantity.

4/ Here is the hack flow of some stolen NFTs from one hacker. Please delist your smols from @Treasure_DAO marketplace

Total Amount Lost

The total amount lost has been estimated at $1,400,000 USD.

It is believed to include ^[18]

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

"Treasure DAO was hacked on March 3 at 7:33 a.m. (EST), according to a post mortem analysis authored by the security-focused firm Certik." "[A]n attacker discovered an exploit that resulted in the loss of “more than 100 NFTs from unsuspecting users."

“Treasure DAO, an NFT trading platform on Arbitrum, was exploited by an unknown attacker who took advantage of a flaw in the platform’s code,” Certik’s analysis details.

"Treasure DAO co-founder John Patten also tweeted about the event after the attacker stole the funds. “Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit—I will personally give up all of my Smols to repair this,” Patten said."

"I cannot fathom what subhuman targets a fair launch marketplace for robbery, but they will not defeat the community."

"A Crypto Twitter deep-dive reveals that TreasureDAO marketplace users started noticing zero price transactions going out of the marketplace. With team effort, users revealed that the underlying code of the platform allowed hackers to purchase previously listed NFTs for a price of 0 MAGIC."

"The TreasureDAO team quickly shut down the smart contract that allowed the exploit, which successfully limited the damages users sustained."

"17 Smol Brains, the most popular NFTs traded on Arbitrum, were stolen. Based on their listed prices on the TreasureDAO platform, the total value of these pieces came up to be 426,511.38 in MAGIC. However, the dollar value of the loot was around 1.4 million."

"The company’s report notes that “over 100 NFTs were stolen in the attack,” as the attacker leveraged a vulnerability in the marketplace’s “buyer buy item” function." "According to the team behind virtual world Isolite, a total of 153 NFTs were stolen from the marketplace. The majority of them belonged to the Smol Brains collection, which is the most expensive project on the platform. At the time of writing, the cheapest Smol Brains NFT costs 2,469 MAGIC, or about $8,400."

"Certik’s analysis of the Treasure DAO situation notes that the protocol’s native token MAGIC shed over 40% in losses against the U.S. dollar." "The aforementioned hack also triggered a sharp fall in the price of MAGIC. It went from around $3.8 to as low as $2.6 on the charts, according to CoinGecko. Even so, worth pointing out that in the hours later, the alt’s price recovered somewhat."

Warnings On Twitter

Edgar.eth was one of the first to report on the attack on Twitter^[5].

Seems to be a bug in the @Treasure_DAO marketplace.

Listed smols getting sold for 0 magic

Delist your smols

This was followed by another warning a couple minutes later by KeyboardMonkey3 to delist items^[6]. They linked to a post about "Smol Brains #5203 (Rarity Rank #3)"^[18].

DELIST ALL YOUR [ITEMS] OFF TREASURE MARKETPLACE, THIS ISNT A JOKE.  THIS WAS JUST STOLEN IN A MARKETPLACE EXPLOIT FOR 0 MAGIC, I JUST HAD A PINK SMOL STOLEN.  THESE ARE NOT REAL SALES, DELIST NOW. @Treasure_DAO KILL THE SITE

John Patten Tweet

Co-founder John Patten Tweet about the exploit shortly after the attack started^[7].

Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit—I will personally give up all of my Smols to repair this.

I cannot fathom what subhuman targets a fair launch marketplace for robbery, but they will not defeat the community

I vow to keep making free mints that make people happy even if this evil individual exploits every single one.

This is just the beginning.

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

"On further investigation, a blockchain address shared by Twitter sleuths gave some insight into the details associated with the exploit."

"Hours after it was stolen, developers confirmed that hackers had begun returning stolen “Smol Brains” and other NFTs."" “After some initial analysis and tracing of the hacker’s wallet on Twitter, many stolen NFTs were returned.” "Surprisingly, the hackers started to return stolen “Smol Brains” and other non-fungible tokens (NFTs) hours after the exploit. Other accounts too confirmed this development." "The price of MAGIC tokens recovered by 40% after hackers started to return the NFTs."

"Almost all Hacked NFTs being returned. Your smols and legions will get back to you soon friendss"

^[19]

Total Amount Recovered

The total amount recovered has been estimated at $1,400,000 USD.

^[13]

Surprisingly, the hackers started to return stolen “Smol Brains” and other non-fungible tokens (NFTs) hours after the exploit. Other accounts too confirmed this development.

Twitter user ^[9]

Almost all Hacked NFTs being returned. Your smols and legions will get back to you soon friendss

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

This issue could have been avoided by users not using smart contracts which do not have any expert audits completed.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Only NFTs listed on the platform were affected, so users could limit their exposure by listing fewer NFTs at any given time.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This error would have been detected through proper smart contract auditing on the TreasureDAO platform.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

An industry insurance fund could step in to assist users affected by smart contract breaches.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This error would have been detected through proper smart contract auditing on the TreasureDAO platform.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

An industry insurance fund could step in to assist users affected by smart contract breaches.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

Cite error: <ref> tag with name "fiahub-6958" defined in <references> is not used in prior text.