Attacker Hacks Arbitrum’s Treasure DAO for Over 100 NFTs by Leveraging Marketplace Exploit

A non-fungible token marketplace level built connected apical of Arbitrum called Treasure DAO was hacked connected March 3 astatine 7:33 a.m. (EST), according to a station mortem investigation authored by the security-focused steadfast Certik. The company’s study notes that “over 100 NFTs were stolen successful the attack,” arsenic the attacker leveraged a vulnerability successful the marketplace’s “buyer bargain item” function.

Post Mortem Analysis by Certik Shows Arbitrum NFT Trading Platform Treasure DAO Exploited for More Than 100 NFTs

The starring Arbitrum NFT marketplace Treasure DAO was attacked connected Thursday aft an attacker discovered an exploit that resulted successful the nonaccomplishment of “more than 100 NFTs from unsuspecting users.” The station mortem investigation of the onslaught was sent to Bitcoin.com News from the blockchain information steadfast Certik, a institution that analyzes, monitors, and assesses astute contracts, blockchain tech, and decentralized concern (defi) protocols.

“Treasure DAO, an NFT trading level connected Arbitrum, was exploited by an chartless attacker who took vantage of a flaw successful the platform’s code,” Certik’s investigation details. “The exploit resulted successful the nonaccomplishment of much than 100 NFTs from unsuspecting users. After immoderate archetypal investigation and tracing of the hacker’s wallet connected Twitter, galore stolen NFTs were returned.”

“The attacker took vantage of an mistake successful the marketplace’s Buyer.buyItem function, which allowed them to acceptable the _quantity adjacent to 0,” Certik’s station mortem says. “With a quantity of 0, totalPrice is besides 0, arsenic totalPrice = _pricePerItem * _quantity. This means the attacker paid thing for the NFTs they ‘purchased.’ As determination is nary request that _quantity > 0, the relation executes normally. This bug could beryllium resolved by requiring a greater than 0 worth for the _quantity variable.”

Additionally, Certik’s investigation of the Treasure DAO concern notes that the protocol’s autochthonal token MAGIC shed implicit 40% successful losses against the U.S. dollar. Treasure DAO co-founder John Patten besides tweeted astir the lawsuit aft the attacker stole the funds. “Treasure marketplace is being exploited. Please delist your items. We volition screen the costs of the exploit—I volition personally springiness up each of my Smols to repair this,” Patten said. The Treasure DAO co-founder added:

I cannot fathom what subhuman targets a just motorboat marketplace for robbery, but they volition not decision the community.

Certik Says Ongoing On-Chain Analysis and Pre-Deployment Audits Can Curb Future Blockchain Protocol Exploits

Certik information analysts accidental that nary 1 knows who was down the exploit but added that galore users were “simply beryllium gladsome to person their stolen NFTs returned.” The company’s station mortem summary of the concern concludes by adding that important losses tin hap by simply exploiting 1 enactment of code. The steadfast wholeheartedly believes on-chain monitoring of circumstantial blockchain protocols and pre-deployment audits tin assistance halt aboriginal vulnerabilities.

“This hack erstwhile again highlights the million-dollar ramifications that a azygous enactment of codification tin have,” Certik’s study concludes. “A thorough pre-deployment audit paired with ongoing on-chain investigation is the champion mode for Web3 projects to show their committedness to information and guarantee their customers that their funds are safe.”

What bash you deliberation astir the Treasure DAO hack and Certik’s station mortem report? Let america cognize what you deliberation astir this taxable successful the comments conception below.

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This nonfiction is for informational purposes only. It is not a nonstop connection oregon solicitation of an connection to bargain oregon sell, oregon a proposal oregon endorsement of immoderate products, services, oregon companies. Bitcoin.com does not supply investment, tax, legal, oregon accounting advice. Neither the institution nor the writer is responsible, straight oregon indirectly, for immoderate harm oregon nonaccomplishment caused oregon alleged to beryllium caused by oregon successful transportation with the usage of oregon reliance connected immoderate content, goods oregon services mentioned successful this article.