Hacker Who Stole More Than 100 NFTs From Treasure Begins Returning Assets

An unknown attacker exploited the Treasure NFT marketplace vulnerability on the Arbitrum-based Layer 2 protocol to steal more than 100 assets listed for sale. Within a few hours, the hacker began returning the stolen items.

1/ The @Treasure_DAO was exploited in a series of txs (one hack tx: https://t.co/rUTIGgWEth), leading to 100+ NFTs stolen from several collections of Treasure Marketplace.

— PeckShield Inc. (@peckshield) March 3, 2022

The bug allowed buying NFTs for zero MAGIC tokens used on the marketplace. Co-founder of Treasure DAO John Patten confirmed the hack and urged users to remove their assets from sale.

“The Treasure marketplace has been exploited. Please remove your items from the listing. We will compensate all losses — I will personally forgo all my Smol to fix this,” he wrote.

The total amount of damage is unknown. A researcher going by the handle Jacob H. traced one of the hacker’s addresses, which in half an hour made 16 “purchases” for 0 MAGIC. The costs to acquire tokens from the Smol Brains and Legion collections amounted to less than $5 per transaction in gas fees.

This wallet made 16 “purchases” in 30 minutes for 0 $MAGIC. They bought a lot of Smol Brains and a few Legion. Every purchase cost <$5 in gas and 0 $MAGIC. https://t.co/gwvIfpi9A3 pic.twitter.com/qNbrsvtMEK

— Jacob H. (@lukenamop) March 3, 2022

The estimated value of these assets totals around 426 511 MAGIC (~$1.44 million).

Another address received 21 NFTs in the same manner.

Experts advised users for security to remove their assets from listings on all NFT marketplaces on Arbitrum.

“We believe we have identified and fixed the root cause. It was a basic bug arising from a previous fix, which we should have detected earlier,” said the Treasure developers in Discord.

A few hours after the breach, from the hacker’s first wallet, identified as Jacob H., all 16 Smol Brain NFTs were sent to Treasure DAO’s address.

The Treasure marketplace team confirmed that the attacker began returning the assets.

“Once we have a complete list of remaining victims who did not receive their stolen NFTs back, we will present a range of options to ensure compensation. These options will be presented to the community and voted on by the DAO,” said Treasure.

In response to the breach, MAGIC price slumped from around $3.8 to $2.23 (SushiSwap). At the time of writing, the token’s quotes had recovered and were trading in a sideways pattern near $3.4.

One user noted that the Treasure vulnerability resembled the one previously identified in the OpenSea NFT platform code.

Earlier, the bug allowed buying high-priced tokens at discounted prices on the largest marketplace in the segment.

OpenSea’s team initiated migration to a new smart contract to fix the bug. However, during this process, users suffered further losses of assets in a phishing attack.