Bug in the code and whitehat exploit both caused disaster for Akutars NFT project minting
AkuDreams launched its Akutars NFT mint process on April 22nd to much fanfare and excitement. Unfortunately for everyone involved, a poorly-written smart contract and an inescapable loop in the code resulted in heartache and lost money.
The highly-anticipated Akutars project from former MLB player turned full-time digital artist Micah Johnson has turned into a tale containing arrogance, naivety, justice and loss. But there’s a lesson to be learned from this harrowing story.
The Akutars NFT project started its minting process on April 22nd at 4:30pm EST. Akudreams, the team behind the work, has built up a reputation for quality and innovation. Its legion of fans were ready and waiting with their ETH for the Dutch auction to get underway.
A Dutch auction starts at a high price and gets lower until someone pulls the trigger and pays an acceptable amount. Once this happens, and assuming the buyer’s bid is above the reserve price, the bidder wins the item. It’s a tried and tested way of minting NFTs.
Unfortunately for AkuDreams, a bug in their code meant that the process didn’t run so smoothly.
The way AkuDreams coded their smart contracts, all auction participants who were outbid were to receive their losing bids as refunds before the AkuDreams team could withdraw the funds they’d accrued from the auction.
It was also written into the smart contracts that users could only get their refunds in a sequential order. So, if someone were able to stop that sequence by finding and exploiting a bug in the code, they could stop the whole refund process.
Somebody with a keen eye for code noticed this flaw and sent a message to AkuDreams. Unfortunately, the team did not respond very well to this advice and sent out a curt response in reply.
AkuDreams appeared to claim that their flaw was not a flaw, but a feature.
Enter the Exploiter
Armed with the knowledge that AkuDream’s smart contract contained a gaping problem, the person who noticed it executed something called a griefing contract. This stopped all refunds from going back to the unsuccessful bidders who had made their bid after the grief contract was deployed. It locked away most of the auction funds in the NFT’s smart contract.
Every bid that a person made up until the exploiter executed the grief contract could be reclaimed as a refund, but would cost people gas fees to get their money back. For everyone who made a bid after the grief exploit, their money was locked away.
Fortunately for people bidding in the auction, the exploit was carried out by a benevolent whitehat hacker who had no intent of stealing people’s money and only wanted to point out the flaws in AkuDreams’ smart contracts.
All’s well that ends well?
A toggle was written into the smart contracts which allowed for the exploiter to reverse their action and the refunds could be returned as planned. The whitehat hacker stated that they were willing to flip this toggle, on one condition.
The exploiter wanted a public acknowledgement from the AkuDreams team that they had made two mistakes. The first one was badly-written smart contracts. The second, and perhaps more egregious one, was failing to accept that they’d made any error at all.
Micah Johnson and the Aku team put out a tweet admitting their mistakes and outlining how they will recompense the community.
But the misery doesn’t stop there
The bug the exploiter noticed had another, more dangerous, element to it. The smart contract is written in such a way that a certain number of requirements have to be met in order for the AkuDreams team to unlock the funds they’ve accrued from the auction.
AkuDreams designed the smart contracts so that everyone could get their money back before the AkuDreams could withdraw their money. So far, so good. But the smart contracts required the number of people receiving refunds to match the number of bids (i.e. the number of NFTs on sale). Because some people minted multiple NFTs at once, this number could never be reached.
So the $34 million is locked away in immutable smart contracts.
Those who failed in the auction got their refunds back. Those who succeeded in the auction will get their NFTs. Unfortunately, AkuDreams cannot get their hands on the money they earned. It truly is a heartbreaking tale.
The moral of the story: listen to devs when they point out your security flaws. It could save you a lot of trouble down the road.
Who are AkuDreams and what are Akutars?
AkuDreams was started by ex-MLB player Micah Johnson. The project grew to prominence after Johson created a social justice-themed work of art that showed the story of a young black astronaut named Aku.
Since then, the Genesis collection and Chapter 7: Candle have cemented the artist’s position in the NFT space. People know the AkuDreams project as one with a strong voice that speaks out about important social issues.
Akutars form the latest chapter in the AkuDreams saga. They’re a collection of 15,000 ‘unique, 3D avatars living on the Ethereum blockchain. Each Akutar grants you entry into the ever-expanding Akuverse’. Only 5,495 Akutars were up for auction at the initial mint.
To follow this story as it unfolds, make sure you stay tuned to our Twitter page and check in with our blog and we continue to report that latest news. Every Friday at 4pm UTC, we’ll bring you the latest on dapps, NFTs, DeFi and web3 on our weekly podcast, Off the Blockchain. You can track all NFTs using our online tools which give expert insight into on-chain analytics.