Metaversal

Share this post

Hacker targets Treasure NFTs

metaversal.banklesshq.com

Hacker targets Treasure NFTs

Arbitrum’s leading NFT marketplace takes a hit but rebounds!

William M. Peaster
Mar 3, 2022
16
1
Share this post

Hacker targets Treasure NFTs

metaversal.banklesshq.com

Metaversal is a Bankless newsletter for weekly level-ups on NFTs, virtual worlds, & collectibles


Dear Bankless Nation,

Let’s say you have a choice NFT listed for sale. 

Then one day out of the blue you see a Twitter bot announcing your epic NFT just sold for your considerable list price. Woah!

Yet when you go and actually look at your wallet to check, you see that your NFT is indeed gone but you’ve received nothing in kind. 

Some users faced this sort of pain this week after an attacker conducted an exploit against the relatively new Treasure NFT marketplace. Let’s catch you up to speed on the basics of the incident for today’s Metaversal.

-WMP


🙏 Sponsor: Polygon Studios—Fostering culture across Gaming, NFTs, and the Metaverse✨


Understanding the Treasure exploit

Image via marketplace.treasure.lol

First, a brief glossary of Treasure

  • Treasure — Currently the most popular NFT marketplace on Arbitrum, a layer-two (L2) Ethereum scaling solution.  

  • TreasureDAO — The collective that steers the Treasure ecosystem, co-founded by John Patten.

  • MAGIC — The native currency (ERC-20) of the Treasure marketplace and ecosystem.

  • Smol Brains — A popular “fair launched” NFT collection in the Treasure ecosystem, roughly analogous to Arbitrum’s version of CryptoPunks.  

  • Legions — NFTs that represent players in Treasure’s Bridgeworld gaming universe.

So what happened to the Treasure market?

  • On Wednesday, March 2nd, some Treasure users noticed their listed NFTs were selling for 0 MAGIC.

Twitter avatar for @KeyboardMonkey3
Keyboard Monkey @KeyboardMonkey3
DELIST ALL YOUR SHIT OFF TREASURE MARKETPLACE, THIS ISNT A JOKE. THIS WAS JUST STOLEN IN A MARKETPLACE EXPLOIT FOR 0 MAGIC, I JUST HAD A PINK SMOL STOLEN. THESE ARE NOT REAL SALES, DELIST NOW. @Treasure_DAO KILL THE SITE
Twitter avatar for @SmolSales
Smol Brains Sales @SmolSales
Smol Brains #5203 (Rarity Rank #3) Sold for MAGIC: 150000 USD: $585,555.00 ETH: 199.2 https://t.co/JN3oLEjd1H #smolbrains #treasuredao https://t.co/fvVNw6cGKQ
12:35 AM ∙ Mar 3, 2022
932Likes430Retweets
  • As word spread that an exploit was occurring, people rushed to delist their NFTs from Treasure. Then TreasureDAO paused the marketplace’s smart contract to prevent further exploit transactions. 

  • However, when the dust had settled a series of wallets had incorrectly “purchased” over 150 NFTs, including from the Smol Brains and Legions collections, for free. It remains unclear if one person or rather a group is behind these culprit wallets. 

How the exploit worked

  • Essentially, the Treasure smart contract wasn’t checking whether NFTs could be worth 0, which in turn allowed the attacker to buy many assets for free before the marketplace was paused. 

Twitter avatar for @cat5749
meows.eth @cat5749
5/ The exploit was straightforward: It took advantage of the contract's `buyItem` function, which did not make sure that the quantity of an ERC-721 purchased was greater than 0. Because of this, all ERC-721 tokens on the Treasure marketplace could be "purchased" for free.
Image
1:15 AM ∙ Mar 3, 2022
23Likes3Retweets

Attack rendered futile

  • In the early minutes of the attack, whitehat Treasure users were able to buy back some of stolen NFTs cheaply and have since returned the assets to their rightful owners. 

  • Then after the Treasure’s marketplace was paused, the attacker was thus stuck with +100 NFTs they couldn’t sell. No liquidity meant nothing easy to cash out. 

  • Accordingly, not long after the exploit occurred the culprit actually started returning dozens of the stolen NFTs to their rightful owners!

Twitter avatar for @Br0keboy96
brokeboy96 | MoonBoi @Br0keboy96
Almost all Hacked NFTs being returned. Your smols and legions will get back to you soon friendss
Image
4:28 AM ∙ Mar 3, 2022
408Likes103Retweets

The TreasureDAO response

  • In the wake of the attack, TreasureDAO published a preliminary assessment of the incident in its community Discord. 

  • “We need to do better,” they said. “We are in discussions with leading audit firms to give our community comfort that the risk of exploits are mitigated.”

  • The project also listed out 5 corrective courses of action that it was currently focused on, namely:

    • Keeping the Treasure marketplace frozen for now.

    • A full review of the market’s code.

    • Redeploying a fixed version of Treasure upon review.

    • Facilitating the return of any remaining rescued NFTs.

    • And a community vote on further remediation options for affected users. 

  • Fortunately, as of the morning of March 3rd TreasureDAO also announced that 114 of the 153 affected NFTs have been returned to their rightful owners. 

Twitter avatar for @Treasure_DAO
TreasureDAO @Treasure_DAO
Thank you to the community for your support during the marketplace exploit. It was a difficult moment, but your support speaks volumes about the resilience of the $MAGIC ✨ community. We are heads down focused on finding the 50 NFTs that remain stolen and making buyers whole.
2:09 PM ∙ Mar 3, 2022
804Likes163Retweets

The big picture

  • TreasureDAO averted catastrophe, and many people now have their stolen NFTs back. This is good. 

  • Yet the code flaw that led to the incident was so basic that it’s thrown into question whether Treasure’s smart contract was ever seriously audited before. This is bad. 

Twitter avatar for @sniko_
harry.eth 🦊💙 @sniko_
@edgar_eth @Treasure_DAO All it needed is this one line
Image
1:48 AM ∙ Mar 3, 2022
  • All things considered, it seems highly likely that the Treasure ecosystem will rebound just fine from this episode. However, the attack is only the latest major reminder that the wider NFT ecosystem needs to start taking security much more seriously in general. 

Twitter avatar for @cat5749
meows.eth @cat5749
6/ This exploit is a stark reminder that security is at the forefront of everything we do in web3. Some high-level ideas that may have helped catch this bug: - Stricter code reviews before code is merged - Extensive unit-testing of critical functions like these
1:15 AM ∙ Mar 3, 2022
32Likes1Retweet

Action steps

  • 👑 Read my primer A Quick Guide to Treasure to learn more about the Treasure ecosystem

  • 👹 Check out my last write-up The Pixelmon NFT Debacle if you missed it!


Author Bio

William M. Peaster is a professional writer and creator of Metaversal—a Bankless newsletter focused on the emergence of NFTs in the cryptoeconomy. He’s also recently been contributing content to Bankless, JPG, and beyond!


Subscribe to Bankless. $22 per mo. Includes archive access, Inner Circle & Badge.


🙏Thanks to our sponsor

POLYGON STUDIOS

Polygon Studios is on a mission to help build digital culture, play-to-earn gaming, NFTs, and the Metaverse ecosystem on Polygon. Some of the key projects supported by Polygon Studios include The Sandbox, Skyweaver, Big Time, Crypto Unicorns, and Decentraland—among others. Polygon Studios also helps fundraising & onboarding. Check it out here.

Stay updated on the latest amazing gaming, NFT, and metaverse projects:

👉 Join the Polygon Studios Discord

👉 Follow Polygon Studios on Twitter


Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.


Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.

1
Share this post

Hacker targets Treasure NFTs

metaversal.banklesshq.com
1 Comment
Rosie Hamer (HRH) 🌐👌
Writes Rosie Hamer HRH ’s Newsletter
Mar 3, 2022

William, thank you for the info and concern.

Worry not, I learn by curiosity and it is less likely to click on unknown links. Therefore a way to avoid hackers is by being skeptical and curious.

Anyone at there playing to be a hacker and mind games receive the retribution of their own karma.

I believe in the authenticity of your info and therefore I believe you.

Thank you for posting a nice written letter about NFTS and Metaverse and Web3.

Stay safe and attentive.

Expand full comment
Reply
TopNewCommunity

No posts

Ready for more?

© 2023 Ryan Sean Adams
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing