TreasureDAO Hackers Have Started Returning Stolen NFTs

This article is about to explain and analysis how TreasureDAO Hackers Have Started Returning Stolen NFTs

Welcome to follow and discuss with us

Author: support@lunaray.co

0x01 Event background

Treasure bridges the growing metaverse with an open and composable approach that brings NFTs, DeFi, and gaming together. TreasureDAO was hacked, and more than 100 NFT Tokens were stolen, worth about 1.4 million US dollars.

0x02 Event analysis

Through preliminary tracking analysis, Attacker’s wallet address：

Address 0x9b1acd4336ebf7656f49224d14a892566fd48e68 | Arbiscan

Attack transaction:

Arbitrum Transaction Hash (Txhash) Details | Arbiscan

The official contract address where the vulnerability occurred：

TreasureMarketplaceBuyer

https://arbiscan.io/address/0x812cda2181ed7c45a35a691e0c85e231d218e273#code

TreasureMarketplace

Contract Address 0x2e3b85f85628301a0bce300dee3a6b04195a15ee | Arbiscan

0x03 Attack details

From the attack transaction, it is clear that the attacker calls the buyItem method in the TreasureMarketplaceBuyer contract to obtain the NFT, and the purchase funds provided by the attacker are 0. Here, it should be noted that the fourth parameter _quantity in the buyItem method is passed as 0.

Analysis of the buyItem method can make it clear that the _quantity parameter here, that is, the purchase quantity, is input by the user, but in the calculation of line 37, the price and the purchase quantity are multiplied by zero, and the final price is also zero. the user has completed the zero-fund purchase. Let’s continue to analyze how the attacker transfers the NFT purchased with zero funds to his account. After transferring the funds, the buyItem method in the marketplace contract is called here.

The two judgment conditions in the buyItem method in the picture above are first to judge the similarities and differences of the owner of the NFT, and then to judge the number of the NFT. Since the attacker passes zero parameters, it is easy to bypass the judgment here. The NFT purchase was successful at zero cost. The attacker used this vulnerability to call the buyItem method multiple times to obtain a large amount of NFT Tokens at zero cost.
At present, Treasure has issued an announcement saying that the transaction has been frozen, and the attacker is also returning the NFT.

0x04 summarize

Although the attacker purchases NFT with 0 funds through the contract, but then gradually returns the acquired NFT Token. It is uncertain whether it was done by the testers for the time being, and I hope that users and officials will not have any major financial losses. Judging from this attack incident, the attacker seized the lack of restrictions on the contract to purchase NFT with 0 funds, resulting in the acquisition of a large number of NFT Tokens through this vulnerability. Therefore, for the above contract vulnerabilities, Our technology security team gives the following suggestions:

0x05 Security advice

• It is suggested that the contract should strictly judge the reasonableness of the purchase quantity input by the user

• Proposed contracts limit the possibility of buying NFTs with zero funds

• It is recommended to strictly distinguish the NFT Tokens of the ERC721 and ERC1155 protocols to avoid confusion.

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

• How to Swap Crypto on Uniswap? | A-Ads Review
• Cryptocurrency Savings Accounts | YoBit Review
• Botsfolio vs Napbots vs Mudrex | Gate.io Exchange Review
• CoinFLEX Review | AEX Exchange Review | UPbit Review
• AscendEx Margin Trading | Bitfinex Staking | bitFlyer Review
• Bitget Review | Gemini vs BlockFi cmd| OKEx Futures Trading
• AscendEx Staking | Bot Ocean Review | Best Bitcoin Wallets
• Huobi Review | OKEx Margin Trading | Futures Trading