Beosin’s Analysis of the Arbitrum-based TreasureDAO exploit

Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident:

#1 Overview

The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyItem function of the contract where the _quantity parameter can be set to zero and does not affect ERC-721 token transactions.

Transaction initiation address:

Arbitrum：0x9b1acd4336ebf7656f49224d14a892566fd48e68

Contract being attacked:

Arbitrum：0x812cda2181ed7c45a35a691e0c85e231d218e273

Attack transactions:

Arbitrum：0x57dc8e6a28efa28ac4a3ef50105b73f45d56615d4a6c142463b6372741db2a2b

On Arbitrum, the transaction initiator passed in the _quantity parameter with value 0 through the buyItem function of the TreasureMarketplaceBuyer contract, thus buying the ERC-721 token with TokenID 5490 for no cost. (Take this transaction as an example)

Figure 1 Transaction Details

As seen from the code, the buyItem function of the TreasureMarketplaceBuyer contract does not make a token type judgement after passing in the _quantity parameter, and directly multiplies _quantity with _pricePerItem to calculate totalPrice. Therefore, the safeTransferFrom function can call the buyItem function of the TreasureMarketplace contract to make a token purchase if the payment amount of ERC-20 token is only 0.

Figure 2 Source code of buyItem function in the TreasureMarketplaceBuyer contract

However, when calling the buyItem function of the TreasureMarketplace contract, the function only makes a judgment on the token types purchased and does not make a non-zero judgment on the amount of tokens, resulting in the exploit where tokens of type ERC-721 can be purchased directly regardless of the _quantity value.

Figure 3 Source code of buyItem function in the TreasureMarketplace contract

Token assets involved:

#2 Summary

The main reason for this security incident lies in the logic confusion caused by the mix usage of ERC-1155 tokens and ERC-721 tokens. ERC-721 tokens do not have the concept of quantity, but the contract uses quantity to calculate the token purchase price, and finally there is no classification discussion when the tokens are transferred.

It is recommended that when developers develop selling contracts for multiple tokens, they need to consider different situations based on the characteristics of different tokens.