Reading time: ~2 m
An unknown person used a vulnerability in the Treasure NFT marketplace based on the Arbitrum second-level protocol to steal over 100 of the assets offered for sale. A few hours later, the hacker began returning the stolen goods.
1/ The @Treasure_DAO was exploited in a series of txs (one hack tx: https://t.co/rUTIGgWEth), leading to 100+ NFTs stolen from several collections of Treasure Marketplace.
— PeckShield Inc. (@peckshield) March 3, 2022
The bug allowed buying NFT for zero MAGIC tokens used on the site. Treasure DAO co-founder John Patten confirmed the hack and urged users to remove assets from the sale.
“The Treasure marketplace has been exploited. Please remove your items from the listing. We will make up for all losses – I will personally give up all my Smolto fix it,” he wrote.
The total amount of damage is unknown. A researcher named Jacob H. traced one of the addresses of a hacker who made 16 “purchases” for 0 MAGIC in half an hour. The cost to purchase tokens from the Smol Brains and Legion collections was less than $5 per transaction in gas fees.
This wallet made 16 “purchases” in 30 minutes for 0 $MAGIC. They bought a lot of Smol Brains and a few Legion. Every purchase cost <$5 in gas and 0 $MAGIC. https://t.co/gwvIfpi9A3 pic.twitter.com/qNbrsvtMEK
— Jacob H. (@lukenamop) March 3, 2022
The estimated value of these assets in total is about 426,511 MAGIC (~$1.44 million).
Another address received 21 NFTs in a similar way.
The expert recommended that users remove them from the listing of all NFT marketplaces on Arbitrum in order to protect their assets.
“We believe we have identified and eliminated the cause of the problem. This was a basic bug that arose from a previous fix that we should have discovered earlier, ”the Treasure developers said on Discord.
A few hours after the hack, all 16 Smol Brain NFTs were sent from the hacker’s first wallet, named Jacob H., to the Treasure DAO address.
The marketplace team confirmed that the attacker started the return of assets.
“Once we have a complete list of the remaining victims who did not receive back the stolen NFTs, we will offer a range of options to ensure compensation. These options will be presented to the community and voted on by the DAO,” Treasure said.
Amid the news of the hack, the price of MAGIC fell from around $3.8 to $2.23 (SushiSwap). At the time of writing, the quotes of the token have recovered and it is trading sideways near the $3.4 level.
15 minute MAGIC/WETH chart on SushiSwap. Data: DEX Screener.
One of the users noted that the vulnerability in Treasure turned out to be similar to the one previously identified in the OpenSea NFT platform code.
Recall that the bug allowed buying expensive tokens at reduced prices on the largest marketplace in the segment.
The OpenSea team initiated a migration to a new smart contract to fix the bug. However, during this process, users suffered further loss of assets during the phishing attack.
#Hacker #stole #NFTs #Treasure #platform #began #recovering #assets