NFT project loses $34M to smart contract flaw
The future of a rather hyped NFT project is currently shaky following a smart contract bug that has left the team with $34 million of inaccessible funds.
Akutars, a highly anticipated NFT project that was scheduled to launch over the weekend. The 3D avatar project is based on Aku, an original character created by former Major League Baseball player Micah Johnson. Holders of the original Aku NFTs were airdropped a free avatar, with only 5,495 of the available 15,000 items being up for sale.
The sales went live with a Dutch Auction on Friday, opening at 3.5 Ethereum, plus a 0.5 Ethereum discount for holders of an “Aku Mint Pass.” However, things quickly began to go awry.
Upon launch, some developers reached out to the Aku team warning them of the possibility of exploiting their smart contract. A Twitter user named Hasan tried to warn the developers of the flaw but was reportedly shrugged off on the ground that the potential exploit was a feature and there were fail-safes to prevent such an occurrence.
Apparently, the smart contract was coded to allow mint pass holders to receive a refund first before the team could make any withdrawals. The team assumed that the minimum number of bids would be equal to the amount of NFTs available for auction, failing to account for multiple bids. Some buyers attempted to mint multiple NFTs within the same bid and this meant that the terms of the contract will never be met, ultimately sealing away around $34 million worth of Ethereum forever.
To prove a point, another user named USER221 opted to trigger the suspected flaw to show the project’s vulnerability. The unknown individual executed what is known as a “griefing contract,” locking the smart contract’s ability to process refunds to underbidders.
USER221 included a note in his transaction asking the project to “please do bug bounty on [their] contracts or have them audited at least. And in a separate transaction on the blockchain, the individual told the Akutars team that they would unlock the project.
Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.
In a postmortem thread on Friday night, the Akutars dev team acknowledged the floor and admitted that the exploit by the unknown individual “was not done out of malice” and USER221 “intended to bring attention to best practices for highly visible projects.”
In another tweet on the same day, the project’s founder and former pro-baseballer Micah Johnson apologized to the NFT community for brushing off the concerns.