TreasureDAO Hack Sees Over 100 NFTs Stolen

Reading Time: 2 minutes
  • NFT marketplace TreasureDAO has seen its smart contract exploited and hundreds of NFTs stolen
  • The NFTs were re-sold before the marketplace took action, although around 50 have been returned
  • TreasureDAO co-founder John Patten has offered to make victims whole

TreasureDAO, the fair launch NFT marketplace that launched in November 2021, yesterday saw its smart contract exploited and over 100 NFTs stolen from users. The hackers exploited differences between ERC-721 and ERC-1155 token types to steal and resell hundreds of NFTs from TreasureDAO, although they have returned almost half of those stolen. TreasureDAO co-founder John Patten offered to personally cover any losses incurred by users of the platform, which has temporarily ceased operations while it deals with the fallout.

Hackers Bought User NFTs for Free

Users first noticed that something was amiss with the TreasureDAO website when their own NFTs were being listed on the site after being ‘bought’ from them for 0 MAGIC, the currency on the platform:

The hackers were able to do this because of a crucial difference between two types of ERC token – ERC-721, which allows only singular token transfers, and ERC-1155, which allows batch transfers within a single transaction. The TreasureDAO hackers realized that they could force the smart contract to mis-read the price on some NFTs:

This resulted in hundreds of NFTs being stolen and resold on the TreasureDAO marketplace before anyone realized.

TreasureDAO Co-founder Promises to Make Victims Whole

TreasureDAO locked the site and advised all users to remove their NFTs from sale while it investigated the hack, with Patten revealing his disgust at the actions of the hackers and offering to make victims whole:

TreasureDAO is still down at the time of writing with an audit of the smart contract presumably underway, an audit that should perhaps have been done earlier, if indeed one wasn’t.