Hacker targets Treasure NFTs
Dear Bankless Nation,
Let’s say you have a choice NFT listed for sale.
Then one day out of the blue you see a Twitter bot announcing your epic NFT just sold for your considerable list price. Woah!
Yet when you go and actually look at your wallet to check, you see that your NFT is indeed gone but you’ve received nothing in kind.
Some users faced this sort of pain this week after an attacker conducted an exploit against the relatively new Treasure NFT marketplace. Let’s catch you up to speed on the basics of the incident for today’s Metaversal.
Understanding the Treasure exploit
First, a brief glossary of Treasure
- Treasure — Currently the most popular NFT marketplace on Arbitrum, a layer-two (L2) Ethereum scaling solution.
- TreasureDAO — The collective that steers the Treasure ecosystem, co-founded by John Patten.
- MAGIC — The native currency (ERC-20) of the Treasure marketplace and ecosystem.
- Smol Brains — A popular “fair launched” NFT collection in the Treasure ecosystem, roughly analogous to Arbitrum’s version of CryptoPunks.
- Legions — NFTs that represent players in Treasure’s Bridgeworld gaming universe.
So what happened to the Treasure market?
- On Wednesday, March 2nd, some Treasure users noticed their listed NFTs were selling for 0 MAGIC.
- As word spread that an exploit was occurring, people rushed to delist their NFTs from Treasure. Then TreasureDAO paused the marketplace’s smart contract to prevent further exploit transactions.
- However, when the dust had settled a series of wallets had incorrectly “purchased” over 150 NFTs, including from the Smol Brains and Legions collections, for free. It remains unclear if one person or rather a group is behind these culprit wallets.
How the exploit worked
- Essentially, the Treasure smart contract wasn’t checking whether NFTs could be worth 0, which in turn allowed the attacker to buy many assets for free before the marketplace was paused.
Attack rendered futile
- In the early minutes of the attack, whitehat Treasure users were able to buy back some of stolen NFTs cheaply and have since returned the assets to their rightful owners.
- Then after the Treasure’s marketplace was paused, the attacker was thus stuck with +100 NFTs they couldn’t sell. No liquidity meant nothing easy to cash out.
- Accordingly, not long after the exploit occurred the culprit actually started returning dozens of the stolen NFTs to their rightful owners!
The TreasureDAO response
In the wake of the attack, TreasureDAO published a preliminary assessment of the incident in its community Discord.
“We need to do better,” they said. “We are in discussions with leading audit firms to give our community comfort that the risk of exploits are mitigated.”
The project also listed out 5 corrective courses of action that it was currently focused on, namely:
Keeping the Treasure marketplace frozen for now.
A full review of the market’s code.
Redeploying a fixed version of Treasure upon review.
Facilitating the return of any remaining rescued NFTs.
And a community vote on further remediation options for affected users.
Fortunately, as of the morning of March 3rd TreasureDAO also announced that 114 of the 153 affected NFTs have been returned to their rightful owners.
The big picture
- TreasureDAO averted catastrophe, and many people now have their stolen NFTs back. This is good.
- Yet the code flaw that led to the incident was so basic that it’s thrown into question whether Treasure’s smart contract was ever seriously audited before. This is bad.
- All things considered, it seems highly likely that the Treasure ecosystem will rebound just fine from this episode. However, the attack is only the latest major reminder that the wider NFT ecosystem needs to start taking security much more seriously in general.