, Attacker Hacks Arbitrum’s Treasure DAO for More Than 100 NFTs
A non-fungible token market platform built on top of Arbitrum called Treasure DAO was hacked on March 3 at 7: 33 a.m. (EST), according to a post mortem analysis authored by the security-focused firm Certik. The company’s report notes that “over 100 NFTs were stolen in the attack,” as the attacker leveraged a vulnerability in the marketplace’s “buyer buy item” function.
Post Mortem Analysis by Certik Shows Arbitrum NFT Trading Platform Treasure DAO Exploited for More Than 100 NFTs
The leading Arbitrum NFT marketplace Treasure DAO was attacked on Thursday after an attacker discovered an exploit that resulted in the loss of “more than 100 NFTs from unsuspecting users.” The post mortem analysis of the attack was sent to Bitcoin.com News from the blockchain security firm Certik, a company that analyzes, monitors, and assesses smart contracts, blockchain tech, and decentralized finance (defi) protocols.
An unknown attacker exploited Treasure DAO to steal NFTs from Arbitrum’s trading platform. Certik’s analysis explains. “The exploit resulted in the loss of more than 100 NFTs from unsuspecting users. Many stolen NFTs were recovered .”
after an initial analysis and trace of the hacker’s wallet via Twitter.
“The attacker took advantage of an error in the marketplace’s Buyer.buyItem function, which allowed them to set the _quantity equal to 0,” Certik’s post mortem says. “With a quantity equal to 0, totalPrice also equals 0, since totalPrice = pricePerItem quantity. This means that the attacker did not pay for the NFTs they allegedly purchased. This bug could be resolved by requiring a greater than 0 value for the _quantity variable.”
Additionally, Certik’s analysis of the Treasure DAO situation notes that the protocol’s native token MAGIC shed over 40% in losses against the U.S. dollar. Treasure DAO co-founder John Patten also tweeted about the event after the attacker stole the funds. “Treasure market is being exploited. Please remove your items from the Treasure Marketplace. Patten stated that we will pay for the exploit costs. He also said that he would give up all his Smols in order to fix this. Co-founder of Treasure DAO, Patten added:
I cannot fathom what subhuman targets a fair launch marketplace for robbery, but they will not defeat the community.
Certik security experts say no one knows the source of the exploit, but they add that many users would “just be glad to see their stolen NFTs back.” A post-mortem review by the company concludes that even one line of code can cause significant losses. Firm believes that pre-deployment audits and on-chain monitoring can prevent future vulnerabilities.
” This hack once more highlights the multi-million-dollar ramifications that one line of code can have,” Certik’s final report states. Web3 projects should conduct a thorough pre-deployment audit, which is paired with on-chain analysis, to show their security commitment and assure customers that their funds are safe .”
What do you think about the Treasure DAO hack and Certik’s post mortem report? Please comment below to let us know your thoughts on this topic.
Jamie Redman
Jamie Redman, the News Lead at Bitcoin.com News, is a Florida-based financial journalist. Redman has been an active member of the cryptocurrency community since 2011. Redman is passionate about Bitcoin, open-source codes, and decentralized applications. Since September 2015, Redman has written more than 5,000 articles for Bitcoin.com News about the disruptive protocols emerging today.
Image Credits: Shutterstock, Pixabay, Wiki Commons
Disclaimer: This article is for informational purposes only. This article is not intended to be a solicitation or offer to buy or sell any products or services. Bitcoin.com does not provide investment, tax, legal, or accounting advice. The author and the company are not responsible for any loss or damage resulting from or in connection to the content, goods, or services discussed in this article.
First, it was Bitcoin. Then defi. Then NFTs. Now, AI is taking the crypto world by storm, unlocking new possibilities (and new riches). If you’re not paying attention, you’re about to miss one of the most explosive narratives of the cycle. This piece is a guest post by Blocmates… Read More
NFT Market Stumbles in January: Sales Drop 39% in Rocky Opening to 2025
Based on data gathered from Jan. 1 through Jan. 31, 2025, non-fungible token sales (NFT) experienced a 38.97% decline compared with the final month of 2024. Ethereum led in sales by amassing $340.47 million, although transactions on that particular chain registered a 36.58% decrease from the previous month… Read More
US Charges 2 Men in $22 Million NFT Rugpull Crypto Fraud Scheme
Two Southern California men, Gabriel Hay and Gavin Mayo, face charges for allegedly defrauding investors of over $22 million in cryptocurrency through fraudulent NFT and digital asset schemes. The indictment reveals they conducted a series of “rugpulls,” soliciting funds for NFT projects that were abandoned after collecting investments… Read More