Analysis of the TreasureDao Zero Fee Exploit

On March 3, 2022, our team was notified of a serious vulnerability in TreasureDao’s NFT trading platform. TreasureDAO is a NFT project built on the layer two protocol, Arbitrum. The project’s team is currently working on fixing this vulnerability and providing a solution to affected users. The SlowMist security team investigated this incident and these are our findings.

Related Information

Contract address

TreasureMarketplaceBuyer:
0x812cda2181ed7c45a35a691e0c85e231d218e273

TreasureMarketplace:
0x2e3b85f85628301a0bce300dee3a6b04195a15ee

Vulnerability Analysis

1.Users purchase NFTs using the TreasureMarketplaceBuyer contract’s buyItem function. This function will first calculate the total amount to be purchased and then input the required amount into the contract. Next, it will call the buyItem function in the TreasureMarketplace contract to purchase NFTs from the market and add them to the TreasureMarketplaceBuyer contract. Finally, transfer the NFT to the user from the TreasureMarketplaceBuyer contract.

2.When looking at the TreasureMarketplace contract, if the incoming _quantity parameter is 0, you can directly pass require(listedItem.quantity >= _quantity, “not enough quantity”); Check and enter the following transfer NFT process since there’s no ERC-721 standard. The number of NFT transfers is checked, so even if the incoming _quantity parameter is 0, the ERC-721 standard NFTs can still be transferred. The formula for calculating the price an NFT is totalPrice = _pricePerItem * _quantity, so the price of buying an NFT is calculated as 0, resulting in all ERC-721 standard NFTs on the market being purchased for free.

Incident Analysis

Let’s take a closer look at one of the transactions used in this incident.

Exploited Transaction:

https://arbiscan.io/tx/0x82a5ff772c186fb3f62bf9a8461aeadd8ea0904025c3330a4d247822ff34bc02

Exploiter Address:

0x4642d9d9a434134cb005222ea1422e1820508d7b

Transaction details:

As you can see from the image below, the attacker calls the buyItem function in the TreasureMarketplaceBuyer contract and sets the incoming _quantity parameter to 0.

Because all the token transfers are 0, the attacker was able to successfully purchase the NFT tokenID 3557 without paying anything. This entire procedure is consistent with the detailed vulnerability analysis presented above.

Summary

The main cause of this vulnerability is a failure to recognize that the incoming _quantity parameter is not 0 prior to the transfer of NFTs. As a result, NFTs were directly transferred when calculating the price for purchases since the calculated fees were 0. The SlowMist security team recommends that before initiating the transfer, the incoming amount be checked to avoid such problems from occurring.

--

--

--

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Web Bluetooth as a force for good with hackNY and Simprints

SuperLauncher Completes Launchpad 2.0 Audit with Inspex

Malware Counter Measure Standard Operation Procedure in Old Corporations

Earn a Guaranteed Limited Edition bePAY NFT — Happy Lunar New Year 2022

While investigating the recent SolarWinds Orion supply-chain attack security researchers discovered…

A deep dive into Vulnerability Analysis

Personal data, PII, non-persona data…

Airdrop/Whitelist Complete Guide — Blockster

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

More from Medium

The Vulnerability behind the Sandbox LAND migration

Adieu, State Channels

Web3 will structurally change sociology and economics forever

Hubble Protocol — Zero-interest loans on Solana: A Deep Dive