AkuDreams dev team locks up $33M due to smart contract bug

Published at: April 25, 2022

The highly anticipated nonfungible token (NFT) project Akutars was marred by both an exploit and a bug on the weekend, causing over 11,500 Ether (ETH), worth nearly $33 million, to be locked forever within a smart contract, inaccessible even to the development team.

The exploit, however, was conducted by someone trying to show a vulnerability in the project and not steal funds via a hack.

The project went live on Friday with a Dutch Auction, a type of auction where the price lowers until it receives a bid, with the first bid winning the sale as long as the price is above the reserve.

The auction opened at 3.5 ETH with only 5,495 of the available 15,000 NFTs up for sale and the smart contract set to refund any bidders who were underbid. Holders of an “Aku Mint Pass” were also given a 0.5 ETH discount on each minted NFT.

The $33M Bug

In a Saturday Twitter thread explaining the whopping $33 million bug, 0xInuarashi, a developer of multiple NFT projects, explained Akutars’ smart contract was coded so that refunds to bidders had to be processed first before the team could withdraw any funds.

The contract had a caveat that a minimum number of bids had to be made before it would allow for the team to withdraw, but the minimum number of bids was set to equal the amount of NFTs available for auction.

Unfortunately, due to some buyers minting multiple NFTs within the same bid, the terms of the contract mean it will never unlock, sealing away the nearly $33 million in ETH forever.

Cointelegraph contacted the Akutars team for comment but did not immediately get a response.

The exploit

In a now-deleted tweet posted by the Akutars that was shared by DeFi developer foobar, it said that developers reached out to them warning that their contract could be exploited but appeared to shrug them off completely as they labeled the potential exploit a “feature.”

The AkuDreams team pretended that this was a feature, not an exploit, when multiple developers raised concerns prior to mint. Bizarre justifications. pic.twitter.com/cVgEXnnWzF

— foobar (@0xfoobar) April 23, 2022

During the mint, an unknown individual executed what’s known as a “griefing contract,” which locked the ability of the Akutars contract to process refunds to those who underbid. The individual even embedded a message on the blockchain to the Akutars team saying they would stop the contract:

“Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”

Akutars then promptly responded by  taking responsibility for the code and suggested that the exploit “was not done out of malice” and the person “intended to bring attention to best practices for highly visible projects.”

Quick Update (will go into more detail asap):1. The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics. They unblocked the exploit quickly after we dug in and took ownership

— Aku :: Akutars (@AkuDreams) April 23, 2022

In a tweet on the same day, the project’s founder and former pro-baseballer Micah Johnson offered an apology to the community, noting that after letting them down, he will “continue to build brick by brick” and work tirelessly to avoid any similar issues moving forward. 

The team also said that it will be issuing 0.5 ETH refunds to pass holders as well as airdropping the NFT to successful bidders.

The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku. & most everything will go back to refunds and we will keep building what we set out to do.Brick by brick. https://t.co/vQiPbl0Jpl

— Micah Johnson (@Micah_Johnson3) April 23, 2022

In an update posted on Sunday, the team said it had rewritten its minting contract which was then audited by several developers and plans to mint on Monday.

Related: Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

This article has been updated, with the headline changing from “$34M” to “$33M.”

Tags
Nft
Related Posts
Nifty News: Snoop’s $17M NFT collection, movie sold as NFT, QAnon espouser sells tweets
Hip-hop icon Calvin Cordozar Broadus Jr., also known as Snoop Dogg, has revealed himself to be the pseudonymous nonfungible token (NFT) collector “Cozomo de’ Medici.” While Snoop has not provided further clarification beyond a Sept. 21 tweet unveiling his digital identity, Medici’s NFT wallet is worth roughly $17.6 million, according to DappRadar. Snoop’s collection features a long list of NFTs, including highly sought-after CryptoPunks, Meebits and Art Blocks tokens. Snoop’s CryptoPunks represent most of his portfolio’s monetary value, with the tokens estimated to be worth $13.19 million. The collection includes CryptoPunk #3831, which depicts a green alien wearing a mask …
Nft / Sept. 22, 2021
Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct
In a rare comedic bungle among decentralized finance (DeFi) exploits, an attacker has fumbled their heist at the finish line leaving behind over $1 million in stolen crypto. Just after 8:00 am UTC on Thursday, blockchain security and analytics firm BlockSec shared it had detected an attack on a little-known DeFi lending protocol called Zeed, which styles itself a “decentralized financial integrated ecosystem.” The attacker exploited a vulnerability in the way the protocol distributes rewards, allowing them to mint extra tokens, which were then sold, crashing the price to zero, but netting just over $1 million for the exploiter. Blockchain …
Defi / April 22, 2022
OpenSea planned upgrade stalls as phishing attack targets NFT migration
Just yesterday, OpenSea announced a smart contract upgrade, which requires users to migrate their listed NFTs from Ethereum (ETH) blockchain to a new smart contract. As a direct result of the upgrade, users that don't migrate over from Ethereum risk losing their old, inactive listings — which currently require no gas fees for migration. Major nonfungible token (NFT) marketplace OpenSea has reportedly fallen victim to an ongoing phishing attack within hours after announcing a week-long planned upgrade to delist inactive NFTs on the platform. However, the urgency and short deadline opened up a small window of opportunity for hackers. Within …
Adoption / Feb. 20, 2022
Nifty News: Solana NFT trading volume, Nike RTFKT COO hacked, and more
DNP3, a streamer and founder of several crypto projects like The charity-focused crypto CluCoin, The Goobers NFT and the metaverse platform Gridcraft Network has admitted to losing investor funds through gambling. In a tweet, the nonfungible token (NFT) project founder talked about his gambling addiction and issued a public apology. I’m sorry. Read: https://t.co/RKM1wYggnC — DNP3 (@DNPthree) January 3, 2023 The Twitch streamer said that he got "incredibly addicted" to gambling in the last year. Eventually, the Twitch streamer claimed that he lost everything. He wrote: “In addition to my own life savings, I also irresponsibly used investor funds to …
Blockchain / Jan. 4, 2023
Developers seek solutions for Web3-related scams from internet browsers
A big concern for users in decentralized finance (DeFi) involves the industry’s susceptibility to exploits. A report from Privacy Affairs revealed hackers stole $4.3 billion worth of cryptocurrency in the time period from January to November 2022 — a 37% increase from the previous year. Such exploits harm the integrity of companies and fuel skeptics from outside of the space in their case against cryptocurrencies. However, in a Feb. 2 announcement from Web3 Builders Inc., the company revealed a suite of tools to combat this issue. The initial browser extension TrustCheck was created to flag Web3-related scams before users continue …
Adoption / Feb. 2, 2023