AkuDreams See $34 Million Locked Away Forever in Blockchain Limbo



Bug in the code and whitehat exploit both caused disaster for Akutars NFT project minting

Summary

AkuDreams launched its Akutars NFT mint process on April 22nd to much fanfare and excitement. Unfortunately for everyone involved, a poorly-written smart contract and an inescapable loop in the code resulted in heartache and lost money.

The highly-anticipated Akutars project from former MLB player turned full-time digital artist Micah Johnson has turned into a tale containing arrogance, naivety, justice and loss. But there’s a lesson to be learned from this harrowing story. 

The Setup

The Akutars NFT project started its minting process on April 22nd at 4:30pm EST. Akudreams, the team behind the work, has built up a reputation for quality and innovation. Its legion of fans were ready and waiting with their ETH for the Dutch auction to get underway.

A Dutch auction starts at a high price and gets lower until someone pulls the trigger and pays an acceptable amount. Once this happens, and assuming the buyer’s bid is above the reserve price, the bidder wins the item. It’s a tried and tested way of minting NFTs. 

Unfortunately for AkuDreams, a bug in their code meant that the process didn’t run so smoothly.

The way AkuDreams coded their smart contracts, all auction participants who were outbid were to receive their losing bids as refunds before the AkuDreams team could withdraw the funds they’d accrued from the auction.

It was also written into the smart contracts that users could only get their refunds in a sequential order. So, if someone were able to stop that sequence by finding and exploiting a bug in the code, they could stop the whole refund process.

Somebody with a keen eye for code noticed this flaw and sent a message to AkuDreams. Unfortunately, the team did not respond very well to this advice and sent out a curt response in reply.

AkuDreams appeared to claim that their flaw was not a flaw, but a feature.

Enter the Exploiter

Armed with the knowledge that AkuDream’s smart contract contained a gaping problem, the person who noticed it executed something called a griefing contract. This stopped all refunds from going back to the unsuccessful bidders who had made their bid after the grief contract was deployed. It locked away most of the auction funds in the NFT’s smart contract.

Funds from Dutch auction shown on Etherscan

Every bid that a person made up until the exploiter executed the grief contract could be reclaimed as a refund, but would cost people gas fees to get their money back. For everyone who made a bid after the grief exploit, their money was locked away. 

Fortunately for people bidding in the auction, the exploit was carried out by a benevolent whitehat hacker who had no intent of stealing people’s money and only wanted to point out the flaws in AkuDreams’ smart contracts.

Note left by whitehat hacker

All’s well that ends well?

A toggle was written into the smart contracts which allowed for the exploiter to reverse their action and the refunds could be returned as planned. The whitehat hacker stated that they were willing to flip this toggle, on one condition.

The exploiter wanted a public acknowledgement from the AkuDreams team that they had made two mistakes. The first one was badly-written smart contracts. The second, and perhaps more egregious one, was failing to accept that they’d made any error at all.

Micah Johnson and the Aku team put out a tweet admitting their mistakes and outlining how they will recompense the community.

But the misery doesn’t stop there

The bug the exploiter noticed had another, more dangerous, element to it. The smart contract is written in such a way that a certain number of requirements have to be met in order for the AkuDreams team to unlock the funds they’ve accrued from the auction.

AkuDreams designed the smart contracts so that everyone could get their money back before the AkuDreams could withdraw their money. So far, so good. But the smart contracts required the number of people receiving refunds to match the number of bids (i.e. the number of NFTs on sale). Because some people minted multiple NFTs at once, this number could never be reached.

So the $34 million is locked away in immutable smart contracts.

Those who failed in the auction got their refunds back. Those who succeeded in the auction will get their NFTs. Unfortunately, AkuDreams cannot get their hands on the money they earned. It truly is a heartbreaking tale.

The moral of the story: listen to devs when they point out your security flaws. It could save you a lot of trouble down the road.

Who are AkuDreams and what are Akutars?

AkuDreams was started by ex-MLB player Micah Johnson. The project grew to prominence after Johson created a social justice-themed work of art that showed the story of a young black astronaut named Aku.

Since then, the Genesis collection and Chapter 7: Candle have cemented the artist’s position in the NFT space. People know the AkuDreams project as one with a strong voice that speaks out about important social issues.

Akutars form the latest chapter in the AkuDreams saga. They’re a collection of 15,000 ‘unique, 3D avatars living on the Ethereum blockchain. Each Akutar grants you entry into the ever-expanding Akuverse’. Only 5,495 Akutars were up for auction at the initial mint.
To follow this story as it unfolds, make sure you stay tuned to our Twitter page and check in with our blog and we continue to report that latest news. Every Friday at 4pm UTC, we’ll bring you the latest on dapps, NFTs, DeFi and web3 on our weekly podcast, Off the Blockchain. You can track all NFTs using our online tools which give expert insight into on-chain analytics.



Related Posts

Mexico Beckons as Patron Brings its Tequila to Decentraland

Mexico Beckons as Patron Brings its Tequila to Decentraland

As the summer season gets into full swing, it was only a matter of time before tequila made another appearance in the metaverse. Now, purveyor of high-quality…

IRS takes out John Doe summons on crypto prime dealer SFOX to find tax cheat customers

IRS takes out John Doe summons on crypto prime dealer SFOX to find tax cheat customers

The Central District of California federal court entered an order Monday to authorize the United States Internal Revenue Service (IRS) to serve a John Doe summons on…

How do Ownership and Copyright Work for NFTs?

How do Ownership and Copyright Work for NFTs?

Answers to critical questions surrounding intellectual property, copyright, and ownership of NFTs Although the popularity of NFT collections recently skyrocketed, the answers to pressing questions surrounding intellectual…

NFT Naruto Museum signs an agreement with The Jackson Family Foundation

NFT Naruto Museum signs an agreement with The Jackson Family Foundation

Being a legend of pop music, an iconic dancer and a truly prominent celebrity of all times, Michael Jackson’s unmatched legacy is eternal. To make it everlasting…

BlockFi tops the Inc. 5000 list with almost 250,000% revenue growth in three years

BlockFi tops the Inc. 5000 list with almost 250,000% revenue growth in three years

Inc. magazine has named BlockFi the fastest growing company in the United States in 2022. At the top of the magazine’s Inc. 5000 2022 list, it experienced…

Aavegotchi AMA – DappDays Highlights

Aavegotchi AMA – DappDays Highlights

Rarity farming, Gotchiverse, Liquidators, and more from the world´s most active DAO. On Monday 8th, August, DappRadar spoke with Aavegotchi as part of our DappDays celebration week….