A non-fungible token market platform built on top of Arbitrum called Treasure DAO was hacked on March 3 at 7:33 a.m. (EST), according to a post mortem analysis authored by the security-focused firm Certik. The company’s report notes that “over 100 NFTs were stolen in the attack,” as the attacker leveraged a vulnerability in the marketplace’s “buyer buy item” function.
Certik post-mortem analysis shows Arbitrum NFT trading platform hoard is mined for over 100 NFTs
Leading Arbitrum NFT marketplace, Treasure DAO, came under attack on Thursday after an attacker discovered an exploit that resulted in the loss of “over 100 NFTs from unsuspecting users”. Post-mortem analysis of the attack was sent to Bitcoin.com News by blockchain security firm Certik, a company that analyzes, monitors, and evaluates smart contracts, blockchain technology, and decentralized finance (defi) protocols.
“Treasure DAO, an NFT trading platform on Arbitrum, was exploited by an unknown attacker who took advantage of a flaw in the platform’s code,” Certik’s analysis details. “The exploit resulted in the loss of more than 100 NFTs from unsuspecting users. After some initial analysis and tracing of the hacker’s wallet on Twitter, many stolen NFTs were returned.”
Additionally, Certik’s analysis of the Treasure DAO situation notes that the native MAGIC protocol token lost over 40% losses against the US dollar. Treasure DAO co-founder John Patten also tweeted on the event after the attacker stole the funds. “The treasure market is exploited. Please delete your articles. We will cover the cost of the exploit – I will personally give up all my Smols to fix this,” Patten said. The Treasure DAO co-founder added:
I can’t figure out which subhuman is targeting a fair launch market for theft, but they won’t defeat the community.
Certik Says Ongoing On-Chain Analysis and Pre-Deployment Audits Can Curb Future Blockchain Protocol Exploits
Certik security analysts say that no one knows who was behind the exploit but added that many users were “simply be glad to have their stolen NFTs returned.” The company’s post mortem summary of the situation concludes by adding that significant losses can happen by simply exploiting one line of code. The firm wholeheartedly believes on-chain monitoring of specific blockchain protocols and pre-deployment audits can help stop future vulnerabilities.
“This hack once again highlights the million-dollar ramifications that a single line of code can have,” Certik’s report concludes. “A thorough pre-deployment audit coupled with ongoing chain analysis is the best way for Web3 projects to demonstrate their commitment to security and assure their customers that their funds are safe.”
