An attack and a smart contract problem have disrupted the auction for a highly anticipated NFT project, leaving the team with $33 million that cannot be accessed.
Over 11,500 Ether (ETH) worth nearly $33 million was locked forever within a smart contract, inaccessible even to the development team, in the highly anticipated nonfungible token (NFT) project Akutars over the weekend due to both an exploit and a bug.
The exploit, on the other hand, was carried out by someone who wanted to expose a flaw in the project rather than take money through a hack.
On Friday, the project went live with a Dutch Auction, a sort of auction in which the price drops until a bid is received, with the first bidder winning the sale as long as the price is over the reserve.
0xInuarashi, a creator of many NFT projects, revealed in a Saturday Twitter thread that Akutars’ smart contract was built such that reimbursements to bidders had to be processed first before the team could withdraw any cash.
The contract said that the team must submit a certain number of offers before being allowed to withdraw, however the minimum number of bids was set to equal the number of NFTs available for auction.
Unfortunately, the conditions of the contract imply that the approximately $33 million in ETH will never unlock due to some bidders minting several NFTs in the same offer.
Developers reached out to the Akutars warning that their contract may be attacked, according to a now-deleted tweet provided by DeFi developer foobar, but they appeared to dismiss them totally, labeling the possible vulnerability a “feature.”
Someone did deploy a griefing contract and bid 2.5 eth about 90 minutes into the auction. Everyone who bid before this should be safe (except for those who came right before), but everyone after would be forever locked out of their funds. https://t.co/0uD1X4v2Vg
— foobar (@0xfoobar) April 23, 2022
During the mint, an unidentified person performed a “griefing contract,” which prevented the Akutars contract from processing refunds to underbidders. The individual even sent a message to the Akutars team on the blockchain, stating that the contract will be terminated:
Well, this was amusing; I had no intention of profiting from it. I wouldn’t have used Coinbase otherwise. I’ll remove the barrier as soon as you guys openly confirm that the exploit exists.
Akutars quickly replied by accepting responsibility for the code, claiming that the attack “was not done maliciously” and that the individual “wanted to raise attention to acceptable practices for highly public projects.”
Quick Update (will go into more detail asap):
1. The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics. They unblocked the exploit quickly after we dug in and took ownership
— Aku :: Akutars (@AkuDreams) April 23, 2022
Micah Johnson, the project’s founder and former pro-baseballer, apologized to the community in a tweet the same day, saying that despite letting them down, he will “continue to build brick by brick” and strive relentlessly to avoid any future troubles.
Related: Check out the latest crypto news
The company also said that pass holders would receive 0.5 ETH refunds and that successful bidders will receive the NFT through airdrop.
The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku.
& most everything will go back to refunds and we will keep building what we set out to do.
Brick by brick. https://t.co/vQiPbl0Jpl
— Micah Johnson (@Micah_Johnson3) April 23, 2022
The team announced in a Sunday update that they have rebuilt their minting contract, which was then inspected by numerous developers, and that they plan to mint on Monday.