Treasure marketplace tells users to delist NFTs after exploit

Treasure, the biggest marketplace for non-fungible tokens (NFTs) on the Arbitrum blockchain, has been hit by an exploit.

Treasure DAO co-founder John Patten confirmed the exploit in a tweet posted on the evening of March 2.

“Treasure marketplace is being exploited. Please delist your items. We will cover the costs of the exploit — I will personally give up all of my Smols to repair this,” he said.

Earlier today, Treasure advised users to “delist everything” through messages posted on its Discord server, and said the marketplace had been paused. Its representatives later added that they believed they had identified the issue.

The news triggered panic among Treasure users, who took to social media to sound the alarm. 

DELIST ALL YOUR SHIT OFF TREASURE MARKETPLACE, THIS ISNT A JOKE. THIS WAS JUST STOLEN IN A MARKETPLACE EXPLOIT FOR 0 MAGIC, I JUST HAD A PINK SMOL STOLEN. THESE ARE NOT REAL SALES, DELIST NOW. @Treasure_DAO KILL THE SITE https://t.co/8TySOce5kW

— Keyboard Monkey (@KeyboardMonkey3) March 3, 2022

The full extent of the exploit and which items have been stolen is not yet clear, but a blockchain address associated with the hacker — shared by Twitter sleuths — gives some indication. 

That address appears to show that 17 Smol Brains — perhaps the most popular NFTs traded on Arbitrum — were stolen. Based on their listed prices on the Treasure platform, the total value of these pieces comes to 426,511.38 in MAGIC, Treasure’s native token, or around $1.4 million at current prices.

The hacker appears to have been able to acquire the pieces without paying for them.

🚨🚨 Seems to be a bug in the @Treasure_DAO marketplace.

Listed smols getting sold for 0 magic

Delist your smols 🚨🚨 pic.twitter.com/VB1BYhcsrW

— edgar.eth 🦉 (@edgar_eth) March 3, 2022

News of the hack triggered a sharp fall in the price of MAGIC, from around $3.8 to as low as $2.6, according to CoinGecko. The price of the token has recovered somewhat in the hours since the exploit and is now trading at roughly $3.3.

PeckShield weighs in

Early on March 3, blockchain security and data firm PeckShield published an analysis of the incident — claiming that more than 100 NFTs from several collections had been stolen from the Treasure marketplace. 

PeckShield also confirmed that the hacker was able to ‘buy’ those pieces in exchange for zero MAGIC, thanks to a bug in the platform’s code that allowed the prices of items to be manipulated. 

John Patten and Treasure were contacted for comment but did not respond by press time. 

UPDATE: This article was updated on March 3 at 1:18am ET with additional information from PeckShield.