BREAKING – The Treasure Marketplace has been hacked! A bug in the contract allowed attackers to purchase a variety of NFTs, including high value Genesis Legions and Smol Brains, for 0 cost. This is a bug in the exchange itself and is currently affecting ALL listed NFTs.
Users should delist or revoke approval for ANY NFT on the site immediately!
The Arbiscan for the contract is here. This is an example of an exploiting transaction. The transaction input is below, you can see the _quantity has been set to 0.
The marked require
statement ensures that the user entered quantity is less than or equal to the amount listed. It does not check that it is not zero! Allowing _quantity
to be zero makes the price calculation in _buyItem
equal to zero, resulting in zero value transfer in payment.
Founder John Patten promises to make the affected users whole. The hack impact is still ticking up, and it remains to be seen how much he will be on the hook for.
This address seems to be one of the first exploiters. He quickly went on a scooping spree of over 20 txns.
With such a low barrier to entry with this exploit (basically just interacting via Etherscan), many copycats quickly starting exploiting as well. And some dishonest users decided to promote it to their groups…
What a mess. It’s a shame, really. The $MAGIC and Treasure ecosystems are a high energy community with an ethos of free mints and value creation. Lively, creative concepts. All now endangered because of a single missing smart contract line.