On March 3, 2022, our team was notified of a serious vulnerability in TreasureDao’s NFT trading platform. TreasureDAO is a NFT project built on the layer two protocol, Arbitrum. The project’s team is currently working on fixing this vulnerability and providing a solution to affected users. The SlowMist security team investigated this incident and these are our findings.
Related Information
Contract address
TreasureMarketplaceBuyer:
0x812cda2181ed7c45a35a691e0c85e231d218e273
TreasureMarketplace:
0x2e3b85f85628301a0bce300dee3a6b04195a15ee
Vulnerability Analysis
1.Users purchase NFTs using the TreasureMarketplaceBuyer contract’s buyItem function. This function will first calculate the total amount to be purchased and then input the required amount into the contract. Next, it will call the buyItem function in the TreasureMarketplace contract to purchase NFTs from the market and add them to the TreasureMarketplaceBuyer contract. Finally, transfer the NFT to the user from the TreasureMarketplaceBuyer contract.
2.When looking at the TreasureMarketplace contract, if the incoming _quantity parameter is 0, you can directly pass require(listedItem.quantity >= _quantity, “not enough quantity”); Check and enter the following transfer NFT process since there’s no ERC-721 standard. The number of NFT transfers is checked, so even if the incoming _quantity parameter is 0, the ERC-721 standard NFTs can still be transferred. The formula for calculating the price an NFT is totalPrice = _pricePerItem * _quantity, so the price of buying an NFT is calculated as 0, resulting in all ERC-721 standard NFTs on the market being purchased for free.
Incident Analysis
Let’s take a closer look at one of the transactions used in this incident.
Exploited Transaction:
https://arbiscan.io/tx/0x82a5ff772c186fb3f62bf9a8461aeadd8ea0904025c3330a4d247822ff34bc02
Exploiter Address:
0x4642d9d9a434134cb005222ea1422e1820508d7b
Transaction details:
As you can see from the image below, the attacker calls the buyItem function in the TreasureMarketplaceBuyer contract and sets the incoming _quantity parameter to 0.
Because all the token transfers are 0, the attacker was able to successfully purchase the NFT tokenID 3557 without paying anything. This entire procedure is consistent with the detailed vulnerability analysis presented above.
Summary
The main cause of this vulnerability is a failure to recognize that the incoming _quantity parameter is not 0 prior to the transfer of NFTs. As a result, NFTs were directly transferred when calculating the price for purchases since the calculated fees were 0. The SlowMist security team recommends that before initiating the transfer, the incoming amount be checked to avoid such problems from occurring.
