March 03, 2022
Beosin’s Analysis of the Arbitrum-based TreasureDAO exploit
Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident:
The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyItem function of the contract where the _quantity parameter can be set to zero and does not affect ERC-721 token transactions.
Transaction initiation address:
Contract being attacked:
On Arbitrum, the transaction initiator passed in the _quantity parameter with value 0 through the buyItem function of the TreasureMarketplaceBuyer contract, thus buying the ERC-721 token with TokenID 5490 for no cost. (Take this transaction as an example)
Figure 1 Transaction Details
As seen from the code, the buyItem function of the TreasureMarketplaceBuyer contract does not make a token type judgement after passing in the _quantity parameter, and directly multiplies _quantity with _pricePerItem to calculate totalPrice. Therefore, the safeTransferFrom function can call the buyItem function of the TreasureMarketplace contract to make a token purchase if the payment amount of ERC-20 token is only 0.
Figure 2 Source code of buyItem function in the TreasureMarketplaceBuyer contract
However, when calling the buyItem function of the TreasureMarketplace contract, the function only makes a judgment on the token types purchased and does not make a non-zero judgment on the amount of tokens, resulting in the exploit where tokens of type ERC-721 can be purchased directly regardless of the _quantity value.
Figure 3 Source code of buyItem function in the TreasureMarketplace contract
Token assets involved:
The main reason for this security incident lies in the logic confusion caused by the mix usage of ERC-1155 tokens and ERC-721 tokens. ERC-721 tokens do not have the concept of quantity, but the contract uses quantity to calculate the token purchase price, and finally there is no classification discussion when the tokens are transferred.
It is recommended that when developers develop selling contracts for multiple tokens, they need to consider different situations based on the characteristics of different tokens.
Related Project Secure Score
Guess you like
Beosin Research Series: Are Decentralized Exchanges (DEX) Safe Enough?
March 11, 2022
Beosin: More than 19 typical security incidents Occurred in February 2022
March 01, 2022
Beosin’s Full Analysis of Build Finance’s Governance Takeover Incident
February 15, 2022
Beosin’s Analysis: DEGO is Hacked Due to Suspected Private Key Compromise
February 10, 2022