AkuDreams Smart Contract Under Attack
As a result of an attack on their smart contract, the highly anticipated NFT project team has been left with $33 million in their bank account, unable to be used. An attack and a flaw plagued the highly anticipated Akutars nonfungible token (NFT) project over the weekend, locking roughly $33 million worth of Ether within a smart contract that no one, not even the development team, could access.
The hack, on the other hand, was carried out by someone who was aiming to demonstrate a flaw in the project rather than take money. Using a Dutch Auction, the project went live on Friday, with the highest bidder prevailing as long as the price was more than the reserve.
Moreover, half the 15,000 NFTs were offered for auction, with the smart contract reimbursing the bidders. Each NFT coined at the “Aku Mint Pass” was likewise discounted by 0.5%.
AkuDreams Attacker Details Bug
A developer of many NFT projects, 0xInuarashi, detailed the massive $33 million flaw in a Saturday Twitter thread, noting that Akutars’ smart contract was structured to require reimbursements to bidders before the company could take any cash.
If there were not enough offers, the team might withdraw from the auction. The minimum number of bids was set to match the total number of NFTs offered for sale.
Unfortunately, the contract conditions imply that almost $33 million in ETH has been locked away indefinitely owing to certain bidders minting numerous NFTs inside the same offer.
The AkuDreams team pretended that this was a feature, not an exploit, when multiple developers raised concerns prior to mint. Bizarre justifications. pic.twitter.com/cVgEXnnWzF
— foobar (@0xfoobar) April 23, 2022
Akudreams Eventually Acknowledge the Bug and Apologies to Fan
Developers contacted the Akutars to tell them that their contract may be abused. Still, they seemed to blow them off totally as they referred to the possible vulnerability as a “feature.” During the mint, a “griefing contract” was signed by an unknown person, which prevented the Akutars contract from processing refunds to bidders. As a result, the Akutars team received a notification on the blockchain informing them that they may cancel the contract.
Quick Update (will go into more detail asap):
1. The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics. They unblocked the exploit quickly after we dug in and took ownership
— Aku :: Akutars (@AkuDreams) April 23, 2022
“It was a lot of fun, but I had no plans to take advantage of it in the end. Otherwise, I wouldn’t have gone through with the transaction via Coinbase. I will instantly remove the block if you guys openly declare that the vulnerability exists.”
Later, in a statement, Akutars said that the exploit “was not done with malice” and that the individual who carried it “intentionally brought attention to appropriate procedures for highly public initiatives. ”
One of the project’s co-founders, ex-professional baseball player Micah Johnson, issued an apology for letting the community down, saying that he will continue building “brick-by-brick” and working hard to prevent any further problems in the future. In addition, the team said that it would reimburse pass holders 0.5 ETH and airdrop the NFT to the successful bidders.
Tokens are expected to be minted on Monday after the team rewrote its minting contract, which was inspected by a number of engineers.
The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku.
& most everything will go back to refunds and we will keep building what we set out to do.
Brick by brick. https://t.co/vQiPbl0Jpl
— Micah Johnson (@Micah_Johnson3) April 23, 2022