March 03, 2022

Beosin’s Analysis of the Arbitrum-based TreasureDAO exploit

Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident:

#1 Overview

The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyItem function of the contract where the _quantity parameter can be set to zero and does not affect ERC-721 token transactions.

Transaction initiation address:


Contract being attacked:


Attack transactions:


On Arbitrum, the transaction initiator passed in the _quantity parameter with value 0 through the buyItem function of the TreasureMarketplaceBuyer contract, thus buying the ERC-721 token with TokenID 5490 for no cost. (Take this transaction as an example)

Figure 1 Transaction Details

As seen from the code, the buyItem function of the TreasureMarketplaceBuyer contract does not make a token type judgement after passing in the _quantity parameter, and directly multiplies _quantity with _pricePerItem to calculate totalPrice. Therefore, the safeTransferFrom function can call the buyItem function of the TreasureMarketplace contract to make a token purchase if the payment amount of ERC-20 token is only 0.

Figure 2 Source code of buyItem function in the TreasureMarketplaceBuyer contract

However, when calling the buyItem function of the TreasureMarketplace contract, the function only makes a judgment on the token types purchased and does not make a non-zero judgment on the amount of tokens, resulting in the exploit where tokens of type ERC-721 can be purchased directly regardless of the _quantity value.

Figure 3 Source code of buyItem function in the TreasureMarketplace contract

Token assets involved:

#2 Summary

The main reason for this security incident lies in the logic confusion caused by the mix usage of ERC-1155 tokens and ERC-721 tokens. ERC-721 tokens do not have the concept of quantity, but the contract uses quantity to calculate the token purchase price, and finally there is no classification discussion when the tokens are transferred.

It is recommended that when developers develop selling contracts for multiple tokens, they need to consider different situations based on the characteristics of different tokens.

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin Research Series: Are Decentralized Exchanges (DEX) Safe Enough?

    March 11, 2022

  • Beosin: More than 19 typical security incidents Occurred in February 2022

    March 01, 2022

  • Beosin’s Full Analysis of Build Finance’s Governance Takeover Incident

    February 15, 2022

  • Beosin’s Analysis: DEGO is Hacked Due to Suspected Private Key Compromise

    February 10, 2022

Join the community to discuss.