Analysis of the TreasureDao Zero Fee Exploit
On March 3, 2022, our team was notified of a serious vulnerability in TreasureDao’s NFT trading platform. TreasureDAO is a NFT project built on the layer two protocol, Arbitrum. The project’s team is currently working on fixing this vulnerability and providing a solution to affected users. The SlowMist security team investigated this incident and these are our findings.
1.Users purchase NFTs using the TreasureMarketplaceBuyer contract’s buyItem function. This function will first calculate the total amount to be purchased and then input the required amount into the contract. Next, it will call the buyItem function in the TreasureMarketplace contract to purchase NFTs from the market and add them to the TreasureMarketplaceBuyer contract. Finally, transfer the NFT to the user from the TreasureMarketplaceBuyer contract.
2.When looking at the TreasureMarketplace contract, if the incoming _quantity parameter is 0, you can directly pass require(listedItem.quantity >= _quantity, “not enough quantity”); Check and enter the following transfer NFT process since there’s no ERC-721 standard. The number of NFT transfers is checked, so even if the incoming _quantity parameter is 0, the ERC-721 standard NFTs can still be transferred. The formula for calculating the price an NFT is totalPrice = _pricePerItem * _quantity, so the price of buying an NFT is calculated as 0, resulting in all ERC-721 standard NFTs on the market being purchased for free.
Let’s take a closer look at one of the transactions used in this incident.
As you can see from the image below, the attacker calls the buyItem function in the TreasureMarketplaceBuyer contract and sets the incoming _quantity parameter to 0.
Because all the token transfers are 0, the attacker was able to successfully purchase the NFT tokenID 3557 without paying anything. This entire procedure is consistent with the detailed vulnerability analysis presented above.
The main cause of this vulnerability is a failure to recognize that the incoming _quantity parameter is not 0 prior to the transfer of NFTs. As a result, NFTs were directly transferred when calculating the price for purchases since the calculated fees were 0. The SlowMist security team recommends that before initiating the transfer, the incoming amount be checked to avoid such problems from occurring.