Analysis of the Security Breach on TreasureDAO

KingData ·2022-03-07

TreasureDAO, an NFT application deployed on a popular Layer 2 solution Arbitrum was attacked on March 3, 2022.

Since the rapid development of various Layer 2 solutions in 2021, attacks targeting applications deployed on Layer 2 solutions don’t happen as frequently as those that happen on blockchain mainnets. Very few real cases could have been studied. Therefore, Fairyproof pays close attention to this incident, watches its progress and updates from its team.

Here is some basic information about this incident:

The attacker’s address was 0x4642D9D9A434134CB005222eA1422e1820508d7B,

The contract that was attacked was deployed at:

0x812cda2181ed7c45a35a691e0c85e231d218e273 on Arbitrum.

The vulnerability that was exploited was in the “buyItem” function in the “TreasureMarketplace.sol” contract. Here was the code section:

In the “buyItem” function, “listedItem.quantity” was the selling price and “ _quantit” was the bid price. A correct implementation should require the latter to be equal to or greater than the former. However the existing implementation “require(listedItem.quantity >= _quantity, “not enough quantity”);” didn’t meet this requirement. Therefore if “_quantit” was set to “0” i.e. “_quantit = 0”, a bidder could successfully purchase an NFT.

Here was an attack transaction and its hash value was:


The transaction’s detailed information was as follows:

There were five parameters among which the fourth was “_quantity = 0” which was exploited to make a successful attack.

Nearly one hundred NFTs have been exploited in this incident so far.

This bug is categorized as an implementation vulnerability by Fairyproof. It shouldn’t be overlooked if the code went through a thorough test or was audited by a professional security team.

Arbitrum is EVM compatible and nearly all security syndromes, issues, or risks that happen to Ethereum smart contracts might occur to the ones deployed on Arbitrum. Therefore, most of the issues or risks that happen to exist in Ethereum applications could have been avoided for applications deployed on Arbitrum if the applications are carefully audited.

© The copyright of this article belongs to KingData, and can't be reproduced and used without KingData's permission.