Beosin’s Analysis of the Arbitrum-based TreasureDAO exploit: Almost all Hacked NFTs Have been Returned
Beosin
0xaB26
April 13th, 2022

Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident:

#1 Overview

The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyItem function of the contract where the _quantity parameter can be set to zero and does not affect ERC-721 token transactions.

Transaction initiation address:

Arbitrum:0x9b1acd4336ebf7656f49224d14a892566fd48e68

Contract being attacked:

Arbitrum:0x812cda2181ed7c45a35a691e0c85e231d218e273

Attack transactions:

Arbitrum:0x57dc8e6a28efa28ac4a3ef50105b73f45d56615d4a6c142463b6372741db2a2b

On Arbitrum, the transaction initiator passed in the _quantity parameter with value 0 through the buyItem function of the TreasureMarketplaceBuyer contract, thus buying the ERC-721 token with TokenID 5490 for no cost. (Take this transaction as an example)

Figure 1 Transaction Details
Figure 1 Transaction Details

As seen from the code, the buyItem function of the TreasureMarketplaceBuyer contract does not make a token type judgement after passing in the _quantity parameter, and directly multiplies _quantity with _pricePerItem to calculate totalPrice. Therefore, the safeTransferFrom function can call the buyItem function of the TreasureMarketplace contract to make a token purchase if the payment amount of ERC-20 token is only 0.

Figure 2 Source code of buyItem function in the TreasureMarketplaceBuyer contract
Figure 2 Source code of buyItem function in the TreasureMarketplaceBuyer contract

However, when calling the buyItem function of the TreasureMarketplace contract, the function only makes a judgment on the token types purchased and does not make a non-zero judgment on the amount of tokens, resulting in the exploit where tokens of type ERC-721 can be purchased directly regardless of the _quantity value.

Figure 3 Source code of buyItem function in the TreasureMarketplace contract
Figure 3 Source code of buyItem function in the TreasureMarketplace contract

Token assets involved:

#2 Summary

The main reason for this security incident lies in the logic confusion caused by the mix usage of ERC-1155 tokens and ERC-721 tokens. ERC-721 tokens do not have the concept of quantity, but the contract uses quantity to calculate the token purchase price, and finally there is no classification discussion when the tokens are transferred.

It is recommended that when developers develop selling contracts for multiple tokens, they need to consider different situations based on the characteristics of different tokens.

Contact US

Website: https://beosin.com/

Email:contact@beosin.com

Twitter: https://twitter.com/Beosin_com

Telegram: https://t.me/beosin

Medium:https://medium.com/@Beosin

Github: https://github.com/Beosin20180329

Discord: https://discord.com/invite/B4QJxhStV4

Subscribe to Beosin
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
baCkiqSt64nk-8C…beYJTL2OJow2TLg
Author Address
0xaB265E6124dedE4…0521209d51E403e
Content Digest
e26ze0BaBt-_FCU…-AvAINTR2uelvDs