According to a post mortem investigation conducted by the security firm Certik, Treasure DAO, a non-fungible token market platform built on top of Arbitrum, was hacked on March 3 at 7:33 a.m. (EST). According to the company’s analysis, the attacker stole “almost 100 NFTs” by exploiting a vulnerability in the marketplace’s “buyer buy item” function.
Certik’s Post-Mortem Analysis Confirms Arbitrum’s NFT Trading Platform Treasure DAO Was Exploited for Over 100 NFTs
Treasure DAO, the major Arbitrum NFT marketplace, was targeted on Thursday after an attacker identified an exploit that resulted in the theft of “over 100 NFTs from unsuspecting customers.” Certik, a company that researches, monitors, and analyses smart contracts, blockchain technology, and decentralised finance (defi) protocols, sent Bitcoin.com News a post mortem analysis of the attack.
“Treasure DAO, an Arbitrum-based NFT trading platform, was hacked by an unknown attacker who took advantage of a weakness in the site’s code,” Certik’s investigation says. “As a result of the attack, over 100 NFTs were stolen from unsuspecting consumers. Numerous stolen NFTs were returned following initial research and tracing of the hacker’s wallet on Twitter.”
“The attacker exploited a mistake in the marketplace’s Buyer.buyItem method to set the _quantity to zero,” Certik’s post mortem states. “With a quantity of zero, totalPrice is also zero, because totalPrice equals _pricePerItem * _quantity. This means the attacker made no payment for the ‘bought’ NFTs. Because _quantity > 0 is not required, the function executes normally. This issue could be rectified by requiring the _quantity variable to have a value greater than zero.”
Additionally, Certik’s examination of the Treasure DAO scenario shows that the protocol’s native token, MAGIC, has lost more than 40% of its value against the US dollar. John Patten, co-founder of Treasure DAO, also tweeted about the incident following the attacker’s theft of the assets. “The marketplace for treasures is being abused. Kindly remove your things from the marketplace. We will cover the costs of the exploit—personally, I will forfeit all of my Smols to correct this,” Patten stated. Additionally, the Treasure DAO’s co-founder stated:
“I cannot fathom what subhuman targets a fair launch marketplace for robbery, but they will not defeat the community.”
Certik Declares That Continuous On-Chain Analysis and Pre-Deployment Audits Will Help Prevent Future Blockchain Protocol Exploits
Certik security analysts report that while no one knows who is responsible for the attack, many users are “just relieved to have their stolen NFTs restored.” The company’s post mortem description of the incident continues by noting that huge losses might occur as a result of a single line of code being exploited. The firm is a firm believer that monitoring certain blockchain protocols on-chain and conducting pre-deployment audits can assist prevent future problems.
“This attack demonstrates once again the multimillion-dollar repercussions of a single line of code,” Certik concludes in his study. “A rigorous pre-deployment audit coupled with continuing on-chain analysis is the best method for Web3 initiatives to demonstrate their commitment to security and reassure their clients about the security of their funds.”
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.