An attack and a smart contract problem have disrupted the auction for a highly anticipated NFT project, leaving the team with $33 million that cannot be accessed.
The highly anticipated NFT project Akutars was damaged by an exploit and a glitch over the weekend, resulting in the permanent locking of over 11,500 Ethereum (ETH) worth over $33 million within a smart contract, making it unreachable to even the development team.
However, the exploit was carried out by someone attempting to demonstrate a vulnerability in the project, not to steal funds via a hack.
The initiative launched on Friday, April 22, with a Dutch Auction, a sort of auction in which the price decreases until a bid is received, with the highest bid winning the sale as long as the price exceeds the reserve.
The auction began at 3.5 Ethereum, with only 5,495 of the available 15,000 NFTs available for purchase and a smart contract in place to repay underbidders. Additionally, holders of a “Aku Mint Pass” received a discount of 0.5 Ethereum on each minted NFT.
The $33 Million Bug
In a tweet on April 23, 0xInuarashi, a developer of numerous NFT projects, said that Akutars’ smart contract was written in such a way that reimbursements to bidders had to be processed before the team could withdraw any funds.
The contract had a clause requiring a minimum number of bids before the team could withdraw, however the minimum number of bids was set to equal the number of NFTs available for auction.
Regrettably, due to certain buyers minting several NFTs in the same bid, the contract’s provisions dictate that it will never unlock, effectively locking away approximately $33 million in Ethereum for good.
The heist
According to a now-deleted tweet published by DeFi developer foobar, the Akutars were contacted by developers warning that their contract may be exploited but appeared to shrug them off totally, referring to the potential exploit as a “feature.”
The AkuDreams team pretended that this was a feature, not an exploit, when multiple developers raised concerns prior to mint. Bizarre justifications. pic.twitter.com/cVgEXnnWzF
— foobar (@0xfoobar) April 23, 2022
During the mint, an unknown individual executed a “griefing contract,” preventing the Akutars contract from processing refunds to underbidders. The individual even included a note on the blockchain instructing the Akutars team to terminate the contract:
“Well, this was enjoyable; I had no intention of abusing this in any way.” Otherwise, I would have stayed away from Coinbase. Once you openly disclose the existence of the exploit, I will instantly remove the barrier.”
Akutars then responded swiftly by accepting responsibility for the code and claiming that the vulnerability “was not done maliciously” and that the individual “wanted to draw attention to recommended practises for highly public projects.”
Quick Update (will go into more detail asap):
1. The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics. They unblocked the exploit quickly after we dug in and took ownership
— Aku :: Akutars (@AkuDreams) April 23, 2022
Micah Johnson, the project’s founder and former professional baseball player, apologised to the community in a tweet the same day, adding that he will “continue to construct brick by brick” and work relentlessly to avoid similar errors in the future.
Additionally, the company stated that it will be refunding 0.5 Ethereum to pass holders and airdropping the NFT to successful bidders.
The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku.
& most everything will go back to refunds and we will keep building what we set out to do.
Brick by brick. https://t.co/vQiPbl0Jpl
— Micah Johnson (@Micah_Johnson3) April 23, 2022
In a Sunday April 24 update, the team stated that it had updated its minting contract, which was then audited by various developers, and intends to mint on Monday April 25.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.
