- NFT marketplace TreasureDAO has seen its smart contract exploited and hundreds of NFTs stolen
- The NFTs were re-sold before the marketplace took action, although around 50 have been returned
- TreasureDAO co-founder John Patten has offered to make victims whole
TreasureDAO, the fair launch NFT marketplace that launched in November 2021, yesterday saw its smart contract exploited and over 100 NFTs stolen from users. The hackers exploited differences between ERC-721 and ERC-1155 token types to steal and resell hundreds of NFTs from TreasureDAO, although they have returned almost half of those stolen. TreasureDAO co-founder John Patten offered to personally cover any losses incurred by users of the platform, which has temporarily ceased operations while it deals with the fallout.
Hackers Bought User NFTs for Free
Users first noticed that something was amiss with the TreasureDAO website when their own NFTs were being listed on the site after being ‘bought’ from them for 0 MAGIC, the currency on the platform:
DELIST ALL YOUR SHIT OFF TREASURE MARKETPLACE, THIS ISNT A JOKE. THIS WAS JUST STOLEN IN A MARKETPLACE EXPLOIT FOR 0 MAGIC, I JUST HAD A PINK SMOL STOLEN. THESE ARE NOT REAL SALES, DELIST NOW. @Treasure_DAO KILL THE SITE https://t.co/8TySOce5kW
— Keyboard Monkey (@KeyboardMonkey3) March 3, 2022
The hackers were able to do this because of a crucial difference between two types of ERC token – ERC-721, which allows only singular token transfers, and ERC-1155, which allows batch transfers within a single transaction. The TreasureDAO hackers realized that they could force the smart contract to mis-read the price on some NFTs:
3/ The hack is made possible due to a bug in distinguishing ERC721 and ERC1155 in buyItem(), which mis-calculates the price of ERC721 as ERC1155 with the (untrusted) given 0 quantity. pic.twitter.com/D09lYbEmRL
— PeckShield Inc. (@peckshield) March 3, 2022
This resulted in hundreds of NFTs being stolen and resold on the TreasureDAO marketplace before anyone realized.
TreasureDAO Co-founder Promises to Make Victims Whole
TreasureDAO locked the site and advised all users to remove their NFTs from sale while it investigated the hack, with Patten revealing his disgust at the actions of the hackers and offering to make victims whole:
I vow to keep making free mints that make people happy even if this evil individual exploits every single one.
This is just the beginning.
— John Patten (@jpatten__) March 3, 2022
TreasureDAO is still down at the time of writing with an audit of the smart contract presumably underway, an audit that should perhaps have been done earlier, if indeed one wasn’t.