Beosin Eagle Eye reported that on March 3, 2022, Arbitrum-based marketplace TreasureDAO was exploited and over 100 NFTs were stolen. However, almost all hacked NFTs have been returned after a few hours of this exploit. The following is Beosin’s detailed analysis of this incident:
The transaction initiation address exploited a logic flaw in the TreasureMarketplaceBuyer contract to obtain ERC-721 tokens at no cost by setting the totalPrice to zero through a vulnerability in the buyItem function of the contract where the _quantity parameter can be set to zero and does not affect ERC-721 token transactions.
Transaction initiation address:
Contract being attacked:
On Arbitrum, the transaction initiator passed in the _quantity parameter with value 0 through the buyItem function of the TreasureMarketplaceBuyer contract, thus buying the ERC-721 token with TokenID 5490 for no cost. (Take this transaction as an example)
As seen from the code, the buyItem function of the TreasureMarketplaceBuyer contract does not make a token type judgement after passing in the _quantity parameter, and directly multiplies _quantity with _pricePerItem to calculate totalPrice. Therefore, the safeTransferFrom function can call the buyItem function of the TreasureMarketplace contract to make a token purchase if the payment amount of ERC-20 token is only 0.
However, when calling the buyItem function of the TreasureMarketplace contract, the function only makes a judgment on the token types purchased and does not make a non-zero judgment on the amount of tokens, resulting in the exploit where tokens of type ERC-721 can be purchased directly regardless of the _quantity value.
The main reason for this security incident lies in the logic confusion caused by the mix usage of ERC-1155 tokens and ERC-721 tokens. ERC-721 tokens do not have the concept of quantity, but the contract uses quantity to calculate the token purchase price, and finally there is no classification discussion when the tokens are transferred.
It is recommended that when developers develop selling contracts for multiple tokens, they need to consider different situations based on the characteristics of different tokens.