It seems almost unbelievable that an NFT marketplace would advise its users to delist all of their assets, but thatâs exactly what happened when Treasure marketplace fell victim to a hack. Flaws in the platformâs code allowed hackers to purchase high value NFTs for 0 MAGIC (the platformâs native token) and distribute them between multiple wallets. Over 100 NFTs were stolen, leading to mass panic across social media, the marketplace being frozen and that nearly unprecedented advice to delist. The price of MAGIC plummeted as the notoriously community driven marketplace scrambled to protect its users.Â
Treasure is the biggest marketplace on the Arbitrum blockchain and home to the high value Smol Brains NFT collection, some of the most valuable tokens traded on the platform. 17 of these (with a total value of around $1.4 million) appear to have been stolen alongside an array of other tokens. Twitter detectives were able to track down an address allegedly linked to the hacker, which shows some of the stolen pieces. Multiple wallets hold multiple sets of NFTs, all purchased for 0 MAGIC while paying less than $5 worth of gas.
A rapid response from the DAO
Panic spread rapidly across Twitter and Discord when the news broke. Users urged each other to delist everything from Treasure and then the devs weighed in with the same advice. They acknowledged the exploit on Twitter and urged everybody to take their NFTs down. The tweet from John Patten (co-founder of Treasure DAO) struck a defiant tone, declaring that the hacker wouldnât defeat the community and branding them âsubhuman.â
The tweet also assured users that they would be compensated for any losses. Better still, the hacker appears to be returning some of the stolen NFTs, including an extremely valuable 1/1 Golden Smol worth over half a million dollars. Of the 100+ NFTs stolen, TreasureDAO claims that only 50 are still lost. The DAO has vowed to track these down, but it doesnât seem unreasonable to imagine that the hacker might simply return them. There isnât much that a person can do with a stolen NFT, which will always be traceable.
The marketplace has since been frozen as the team works on a fix. Listings are safe, but the devs will be taking a deep dive into the code to plug any vulnerabilities. Despite its scale, the exploit takes advantage of a fairly simple flaw in the platform. Hackers capitalised on a bug that allowed ERC721 to be set to a quantity of zero. This lets them acquire NFTs for free. Itâs a basic slip, and shows that there was real vulnerability at the heart of the marketplace. Since there are so many wallets involved, itâs difficult to tell whether this is the work of an individual or a group.
An exploit in the code
Speaking on Discord, the team clarified that the exploit was the result of a previous fix and acknowledged that it should have been identified earlier. Blockchain security company PeckSheild delved into this in a little more detail on Twitter, explaining exactly how the hack was perpetrated and how the culprits were able to get hold of the NFTs for 0 MAGIC.
When the code is repaired and fixes deployed, Treasure marketplace will presumably reopen and, judging by the defiant statements from its co-founder, return with renewed vigour. If anything, the community looks even stronger than before. Pattenâs pledge to give away all his Smolâs to compensate those affected is certainly a striking gesture, and the DAO will shortly vote on remuneration options for anyone who doesnât get their NFT back.
Rather than the total disaster that it easily could have been, the hack turned into a positive example of how a team should handle a crisis. TreasureDAO acted fast and with maximum transparency before misinformation got the chance to spread. Marketplace hacks rarely have a happy ending and most arenât managed nearly as well as this.
Proof of successful crisis management is evident in the price movements of MAGIC. It tanked upon news of the exploit, tumbling to a lowly $2.6. That's unsurprising given the scale of the loss and the fact that it came about due to flaws within the platform itself. Whatâs more surprising is how quickly MAGIC rebounded, climbing back up to (at time of writing) a high of $3.3. This is a clear show of confidence towards the marketplace, the team behind it and how they navigated this crisis. Plenty of other NFT marketplaces and DAOs could learn a lot from how Treasure handled itself.