The much-vaunted non-fungible token project AkuDreams got off to a rocky start after an exploit resulted in $34 million in proceeds being locked in a smart contract forever.
The hacker behind the exploit reportedly tried to uncover the vulnerabilities in the code. The exploit resulted in over 11,500 Ethereum (ETH) become inaccessible to the development team.
The project went live via a Dutch auction on April 22 and opened at 3.5 ETH and 5,495 NFTs out of the total 15,000 NFTs in the collection were put up for sale. The smart contract for the auction was programmed to refund anyone who underbid.
$34 million locked up forever
According to NFT developer 0xInuarashi, the smart contract was programmed to refund bidders before the team could withdraw funds. However, bugs in the code led to security vulnerabilities.
$34 million gone. Just as. contract made forever.
A lot of people shed light on the grief that processRefunds() banned for a while, that was the first exploit.
Luckily that was unlocked but funds are still locked forever. As?
— 0xInuarashi (@0xInuarashi) April 23, 2022
There was also a caveat that the minimum number of bids must match the total number of NFTs available for the auction, which is 5,495. While the number of actual bids was higher, the problem came from the fact that multiple buyers were using the same bid for multiple mints.
The result is that there are fewer bids than the total number of NFTs available for auction. Because of this, over $34 million in proceeds from the smart contract are locked forever and cannot be withdrawn.
Various developers warned AkuDreams about the vulnerability before the project went live, but the team ignored the warnings.
The AkuDreams team pretended this was a feature and not an exploit when several developers raised concerns about Mint. Bizarre justifications. pic.twitter.com/cVgEXnnWzF
— foobar (@0xfoobar) April 23, 2022
In a now-deleted tweet from the team, they labeled the bug a feature when developers warned them about it.
The hacker decided to show them that an exploit is not a feature by running a “griefing contract”.
This contract initially locked out the ability to reimburse those who underbid, and the anonymous hacker embedded an on-chain message to let them know it was an exploit.
Response from the development team
The AkuDreams team took responsibility and reverted the first exploit to allow for refunds. However, the second exploit means it cannot get back the $34 million locked in the smart contract.
Quick update (will go into detail as soon as possible):
1. The contractual exploitation was not intentional; the person tasked with raising awareness of best practices for high-visibility projects and novel mechanics. They quickly unlocked the exploit after we dug in and took ownership
— Aku :: Akutars (@AkuDreams) April 23, 2022
The project’s founder, Micah Johnson, has since apologized. Additionally, the team released an update stating that the minting contract has been rewritten and reviewed. It also promised to give passport holders a refund.