The much-vaunted non-fungible token project AkuDreams got off to a rocky start after an exploit resulted in $34 million in proceeds being locked in a smart contract forever.

The hacker behind the exploit reportedly tried to uncover the vulnerabilities in the code. The exploit resulted in over 11,500 Ethereum (ETH) become inaccessible to the development team.

The project went live via a Dutch auction on April 22 and opened at 3.5 ETH and 5,495 NFTs out of the total 15,000 NFTs in the collection were put up for sale. The smart contract for the auction was programmed to refund anyone who underbid.

$34 million locked up forever

According to NFT developer 0xInuarashi, the smart contract was programmed to refund bidders before the team could withdraw funds. However, bugs in the code led to security vulnerabilities.

There was also a caveat that the minimum number of bids must match the total number of NFTs available for the auction, which is 5,495. While the number of actual bids was higher, the problem came from the fact that multiple buyers were using the same bid for multiple mints.

The result is that there are fewer bids than the total number of NFTs available for auction. Because of this, over $34 million in proceeds from the smart contract are locked forever and cannot be withdrawn.

Various developers warned AkuDreams about the vulnerability before the project went live, but the team ignored the warnings.

In a now-deleted tweet from the team, they labeled the bug a feature when developers warned them about it.

The hacker decided to show them that an exploit is not a feature by running a “griefing contract”.

This contract initially locked out the ability to reimburse those who underbid, and the anonymous hacker embedded an on-chain message to let them know it was an exploit.

Source: 0xInuarashi

Response from the development team

The AkuDreams team took responsibility and reverted the first exploit to allow for refunds. However, the second exploit means it cannot get back the $34 million locked in the smart contract.

The project’s founder, Micah Johnson, has since apologized. Additionally, the team released an update stating that the minting contract has been rewritten and reviewed. It also promised to give passport holders a refund.

Posted in: Ethereum, Hacks

What's your reaction?
Leave a Comment