All you need to know about TreasureDAO’s exploit, stolen ‘Smol Brains’ NFTs
Non-Fungible Tokens (NFTs) have been quite the rage within the crypto-community of late. It gained traction in 2021, with even celebrities jumping onto the bandwagon. However, hackers saw this as an opportunity to exploit money-making digital platforms.
Different projects have fallen prey to various illicit activities, resulting in loss of funds. In the latest such incident, the biggest marketplace for NFTs on the Arbitrum blockchain – TreasureDAO – took a hit.
Sound the ‘Red alert’
TreasureDAO, an NFT trading market built on Arbitrum, is the latest to fall victim to an exploit. In the said episode, hackers purchased NFTs listed on the market at zero fees.
Treasure DAO Co-founder John Patten confirmed the exploit in a tweet shared on 3 March,
“Treasure marketplace exploited. Please delist your items. We will cover the costs of the exploit, I will personally give up all of my Smols to repair this”
Soon after, TreasureDAO advised users to “delist everything” through messages posted on its Discord server. The representatives later informed the community that they had identified the issue.
17 Smol Brains, the most popular NFTs traded on Arbitrum, were stolen. Based on their listed prices on the TreasureDAO platform, the total value of these pieces came up to be 426,511.38 in MAGIC. However, the dollar value of the loot was around 1.4 million.
Understandably, this episode triggered alarm bells in the minds of many in the community.
DELIST ALL YOUR SHIT OFF TREASURE MARKETPLACE, THIS ISNT A JOKE. THIS WAS JUST STOLEN IN A MARKETPLACE EXPLOIT FOR 0 MAGIC, I JUST HAD A PINK SMOL STOLEN. THESE ARE NOT REAL SALES, DELIST NOW. @Treasure_DAO KILL THE SITE https://t.co/8TySOce5kW
— Keyboard Monkey (@KeyboardMonkey3) March 3, 2022
Blockchain security and data firm PeckShield also published an analysis of the incident. According to the same, more than 100 NFTs from several collections were stolen from the marketplace.
2/ To illustrate, we use the above hack tx and show the key steps below:
Call buyItem() with valid NFT token and NFT ID, but w/ invalid ZERO quantity
Treasure Marketplace sells the NFT but charges ZERO MAGIC (due to ZERO quantity) pic.twitter.com/OXGAHTtnZ2
— PeckShield Inc. (@peckshield) March 3, 2022
The report found that the hack was made possible due to a bug in distinguishing ERC721 and ERC1155 in buyItem().
“It miscalculated the price of ERC721 as ERC1155 with the (untrusted) given 0 quantity,” the analyst asserted.
The aforementioned hack also triggered a sharp fall in the price of MAGIC. It went from around $3.8 to as low as $2.6 on the charts, according to CoinGecko. Even so, worth pointing out that in the hours later, the alt’s price recovered somewhat.
Twist in this tale
Surprisingly, the hackers started to return stolen “Smol Brains” and other non-fungible tokens (NFTs) hours after the exploit. Other accounts too confirmed this development.
Almost all Hacked NFTs being returned. Your smols and legions will get back to you soon friendss pic.twitter.com/IVOr0V5clG
— brokeboy96 | MoonBoi (@Br0keboy96) March 3, 2022