Metaversal is a Bankless newsletter for weekly level-ups on NFTs, virtual worlds, & collectibles
Dear Bankless Nation,
Let’s say you have a choice NFT listed for sale.
Then one day out of the blue you see a Twitter bot announcing your epic NFT just sold for your considerable list price. Woah!
Yet when you go and actually look at your wallet to check, you see that your NFT is indeed gone but you’ve received nothing in kind.
Some users faced this sort of pain this week after an attacker conducted an exploit against the relatively new Treasure NFT marketplace. Let’s catch you up to speed on the basics of the incident for today’s Metaversal.
🙏 Sponsor: Polygon Studios—Fostering culture across Gaming, NFTs, and the Metaverse✨
Understanding the Treasure exploit
First, a brief glossary of Treasure
Treasure — Currently the most popular NFT marketplace on Arbitrum, a layer-two (L2) Ethereum scaling solution.
TreasureDAO — The collective that steers the Treasure ecosystem, co-founded by John Patten.
MAGIC — The native currency (ERC-20) of the Treasure marketplace and ecosystem.
Smol Brains — A popular “fair launched” NFT collection in the Treasure ecosystem, roughly analogous to Arbitrum’s version of CryptoPunks.
Legions — NFTs that represent players in Treasure’s Bridgeworld gaming universe.
So what happened to the Treasure market?
On Wednesday, March 2nd, some Treasure users noticed their listed NFTs were selling for 0 MAGIC.
As word spread that an exploit was occurring, people rushed to delist their NFTs from Treasure. Then TreasureDAO paused the marketplace’s smart contract to prevent further exploit transactions.
However, when the dust had settled a series of wallets had incorrectly “purchased” over 150 NFTs, including from the Smol Brains and Legions collections, for free. It remains unclear if one person or rather a group is behind these culprit wallets.
How the exploit worked
Essentially, the Treasure smart contract wasn’t checking whether NFTs could be worth 0, which in turn allowed the attacker to buy many assets for free before the marketplace was paused.
Attack rendered futile
In the early minutes of the attack, whitehat Treasure users were able to buy back some of stolen NFTs cheaply and have since returned the assets to their rightful owners.
Then after the Treasure’s marketplace was paused, the attacker was thus stuck with +100 NFTs they couldn’t sell. No liquidity meant nothing easy to cash out.
Accordingly, not long after the exploit occurred the culprit actually started returning dozens of the stolen NFTs to their rightful owners!
The TreasureDAO response
In the wake of the attack, TreasureDAO published a preliminary assessment of the incident in its community Discord.
“We need to do better,” they said. “We are in discussions with leading audit firms to give our community comfort that the risk of exploits are mitigated.”
The project also listed out 5 corrective courses of action that it was currently focused on, namely:
Keeping the Treasure marketplace frozen for now.
A full review of the market’s code.
Redeploying a fixed version of Treasure upon review.
Facilitating the return of any remaining rescued NFTs.
And a community vote on further remediation options for affected users.
Fortunately, as of the morning of March 3rd TreasureDAO also announced that 114 of the 153 affected NFTs have been returned to their rightful owners.
The big picture
TreasureDAO averted catastrophe, and many people now have their stolen NFTs back. This is good.
Yet the code flaw that led to the incident was so basic that it’s thrown into question whether Treasure’s smart contract was ever seriously audited before. This is bad.
All things considered, it seems highly likely that the Treasure ecosystem will rebound just fine from this episode. However, the attack is only the latest major reminder that the wider NFT ecosystem needs to start taking security much more seriously in general.
👑 Read my primer A Quick Guide to Treasure to learn more about the Treasure ecosystem
👹 Check out my last write-up The Pixelmon NFT Debacle if you missed it!
William M. Peaster is a professional writer and creator of Metaversal—a Bankless newsletter focused on the emergence of NFTs in the cryptoeconomy. He’s also recently been contributing content to Bankless, JPG, and beyond!
Subscribe to Bankless. $22 per mo. Includes archive access, Inner Circle & Badge.
🙏Thanks to our sponsor
Polygon Studios is on a mission to help build digital culture, play-to-earn gaming, NFTs, and the Metaverse ecosystem on Polygon. Some of the key projects supported by Polygon Studios include The Sandbox, Skyweaver, Big Time, Crypto Unicorns, and Decentraland—among others. Polygon Studios also helps fundraising & onboarding. Check it out here.
Stay updated on the latest amazing gaming, NFT, and metaverse projects:
👉 Join the Polygon Studios Discord
👉 Follow Polygon Studios on Twitter
Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.
Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.
William, thank you for the info and concern.
Worry not, I learn by curiosity and it is less likely to click on unknown links. Therefore a way to avoid hackers is by being skeptical and curious.
Anyone at there playing to be a hacker and mind games receive the retribution of their own karma.
I believe in the authenticity of your info and therefore I believe you.
Thank you for posting a nice written letter about NFTS and Metaverse and Web3.
Stay safe and attentive.