Hackers Steal NFT Monkeys on Top Ethereum Layer 2
An exploit in the Treasure marketplace's code let the hackers acquire NFTs without paying for them.
- Hackers have stolen hundreds of NFTs from the Arbitrum NFT marketplace Treasure.
- Treasure developers quickly froze trading to avoid further losses.
- Since the incident, many of the hackers have return the NFTs to their rightful owners.
Share this article
The Arbitrum-based NFT marketplace Treasure has been hacked. Developers froze trading after hundreds of NFTs from the Smol Brains and Legions collections were stolen.
Treasure Marketplace Hit by Exploit
The Treasure marketplace has suffered an exploit.
Treasure, the biggest NFT marketplace on the Ethereum Layer 2 solution Arbitrum, was hit by an attack early Thursday morning, resulting in hundreds of NFTs being stolen. Hackers found a way to acquire NFTs listed on the Treasure marketplace without paying for them. Treasure developers quickly reacted by freezing trading on the marketplace to avoid further damage.
Treasure is the hub for NFTs in the TreasureDAO NFT ecosystem. Instead of using Ethereum or stablecoins to buy and sell NFTs like on OpenSea, Treasure only lets users transact using MAGIC tokens, the ecosystem’s native currency. According to blockchain security company PeckShield, an attacker found a way to manipulate the price of listed NFTs on Treasure, allowing them to buy NFTs for 0 MAGIC tokens.
PeckShield estimates more than 100 NFTs were stolen from the marketplace before developers froze trading. One address appears to have stolen 17 pixel-art monkeys from the Smol Brains collection. If purchased for the original listing prices, these NFTs would have cost a buyer over $1.4 million worth of MAGIC tokens at the time of the hack. Since Smol Brains and another popular collection called Legions are currently the most valuable and actively traded NFTs on Treasure, they appear to have borne the brunt of the exploit. The cheapest Smol Brains normally trade for around $9,500 today.
As news of the exploit circulated online, the price of the MAGIC token dropped sharply, bottoming out at a 33% loss before posting a slight recovery. MAGIC is currently trading at $3.38, down 11% from pre-exploit levels.
In response to the exploit, TreasureDAO’s GoudaGaarp took to Discord to reassure the Treasure community. “Deepest and sincerest condolences for those impacted by the exploit today,” they wrote. GoudaGaarp went on to explain that TreasureDAO had frozen the Treasure marketplace pending a full code review. TreasureDAO will also take an active role in distributing NFTs back to their rightful owners and plans to propose several remediation options to ensure users are made whole.
However, as the situation progressed, it appeared that many of the hackers had a change of heart. A Twitter user posting under the handle @Br0keboy96 pointed out that transaction data from Arbiscan shows dozens of NFTs stolen from Treasure being returned to their rightful owners. Presumably, the hackers realized that the stolen NFT could not be cashed out due to TreasureDAO freezing trading and likely planning to blacklist all stolen NFTs.
As NFTs have boomed in popularity, exploits and hacks targeting NFT marketplaces have increased. Last month, a hacker using phishing emails was able to steal approximately millions of dollars worth of NFTs from unsuspecting OpenSea users. While DeFi protocols and cross-chain bridges have typically been popular targets for hackers, as non-fungible tokens grow in value and popularity, more attacks against applications like Treasure are likely.
Disclosure: At the time of writing this piece, the author owned ETH and several other cryptocurrencies.