Hackers who exploited a vulnerability in NFT marketplace Treasure began returning most of the “Smol Brain” and “Legion” NFTs they stole on Thursday.
The people behind the attack were able to mint several NFTs for free thanks to the vulnerability.
Blockchain analysis firm PeckShield said more than 100 NFTs were stolen from several collections in the Treasure marketplace.
The situation began on Tuesday, when reports emerged that the Treasure marketplace was being exploited. Treasure did not respond to requests for comment, but co-founder John Patten took to Twitter to confirm that the platform was facing a spate of thefts.
“Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit—I will personally give up all of my Smols to repair this. I cannot fathom what subhuman targets a fair launch marketplace for robbery, but they will not defeat the community,” Patten said.
“I vow to keep making free mints that make people happy even if this evil individual exploits every single one. This is just the beginning.”
Treasure released its own official statement, writing that their team was “focused on finding the 50 NFTs that remain stolen and making buyers whole.”
A number of people compared the issue to something popular NFT marketplace OpenSea also faced recently, where hackers gained the ability to re-list an NFT at a new price without cancelling the previous listing.
Other experts like Harry Denley, a member of the security team at MetaMask, urged users to delist. Denley told ZDNet that the issue facing Treasure is different than the one that affected OpenSea, but noted that the end result was somewhat the same: NFTs being stolen for low, and sometimes $0, value.
“The issue with Treasure was a logic flaw in their smart contract within the buyItem() function. The function did not validate the quantity of the listing you were buying from, so a bad actor could craft a transaction to call buyItem() to create a specific buy order with 0 quantity for a listing,” Denley explained.
“Because of 0 quantity, the price to pay was 0 (price * quantity = 0), and if that was satisfied (as in the transaction sent the correct amount of money, which will always be $0, to buy the order at), the NFTs were transferred to the buyer. A simple sanity check was missing from the function.”
Denley added that he was unsure of the number of stolen NFTs and their value but noted that most have been returned to their owners. CoinDesk pegged the value of the stolen NFTs at around $1.4 million.
Denley said the marketplace is in a “pause” state and explained that they set their Oracle to a “burn” address in transaction causing all interactions with the marketplace to fail.
“After they have redeployed the contracts with the fix and hopefully have the contracts audited, then they’ll start opening up the marketplace,” Denley said.
“I think it’s worth noting that it is still yet to be determined if this attack was a white hat or a black hat that had a change of heart due to their on-chain activity possibly being linked to their real-world identity. For example, 201 days ago, the exploiter received funds from a Binance account to their Ethereum main net address, which could be KYC’d or exposed identify somewhere on that platform,” he added, pointing to an address implicated in the attack.
In Treasure’s Discord channel, developers said they identified and rectified the cause of the issue.
“This was a basic bug arising from a prior fix that should have been identified earlier,” they wrote. “Once we have the full list of remaining impacted parties who did not receive back their stolen NFTs, we will propose a number of remediation options to ensure users are made whole.”
Treasure is the biggest NFT marketplace on the Arbitrum blockchain.