According to the company’s report, “more than 100 NFTs were stolen during the attack” as the attacker exploited a vulnerability within the market’s “buyer-buy item” function.
Certik’s Post-Mortem Analysis reveals that Arbitrum NFT Trading Platform Treasure was Exploited for More than 100 NFTs
An attacker found a vulnerability that allowed the theft of more than 100 NFTs from unwitting users. The attack on Treasure DAO, the leading Arbitrum NFT marketplace, was carried out by Certik. This company analyzes, monitors and assesses smart contracts and blockchain tech as well as decentralized finance (defi), protocols.
Certik’s analysis reveals that “Treasure DAO,” an NFT trading platform on Arbitrum was exploited. The exploit led to the theft of over 100 NFTs by unsuspecting users. Many stolen NFTs were recovered after an initial analysis and trace of the wallet on Twitter by the hacker.
Certik’s post-mortem says that the attacker exploited a bug in the marketplace’s Buyer.buyItem function. This allowed them to set the quantity equal to 0. “With a quantity equal to 0, totalPrice also equals 0, since totalPrice = pricePerItem * quantity. This means that the attacker did not pay for the NFTs they allegedly purchased. This bug can be fixed by requiring that the _quantity variable has a value greater than 0.
Certik’s analysis on the Treasure DAO situation also shows that the native token MAGIC suffered losses of over 40% against the U.S. Dollar. John Patten, Treasure DAO’s co-founder, tweeted about it after the attacker stole the funds. “Treasure market is being exploited. Please remove your items from the Treasure Marketplace. Patten stated that we will pay for the exploit costs. He also said that he would give up all his Smols in order to fix it. Co-founder of Treasure DAO, Patten added:
Although I am unable to fathom why a subhuman would choose robbery as a fair launch market, they won’t defeat the community.
Certik says that ongoing On-Chain Analysis can help prevent future Blockchain Protocol Exploits
Certik security analysts claim that no one knows the source of the exploit, but they also stated that users could “just be glad to see their stolen NFTs back.” A post-mortem review by the company concludes that even one line of code can cause significant losses. Firm believes that on-chain monitoring specific blockchain protocols and predeployment audits will help prevent future vulnerabilities.
Certik’s report concluded that “this hack once more highlights the million-dollar consequences that a single code line can have.” Web3 projects should conduct a thorough pre-deployment audit, as well as ongoing on-chain analyses to show their commitment to security. This will help them to assure their customers that they are secure with their funds.
