AkuDreams suffers exploit, loses $34M in proceeds forever
AkuDreams dev team was warned about the bug in its smart contract, but it referred to it as a “feature.”
The much-hyped non-fungible token project AkuDreams is off to a rocky start after an exploit caused $34 million in proceeds to be locked in a smart contract forever.
The hacker behind the exploit was reportedly trying to expose the vulnerabilities in the code. The exploit resulted in over 11,500 Ethereum (ETH) becoming inaccessible to the developer team.
The project went live on April 22 using a Dutch auction and opened at 3.5 ETH, and 5,495 NFTs out of the total 15,000 NFTs in the collection were put up for sale. The smart contract for the auction was programmed to refund everyone that underbid.
$34 million locked forever
According to NFT developer 0xInuarashi, the smart contract was programmed to refund bidders before the team could withdraw funds. However, bugs in the code introduced vulnerabilities.
https://t.co/A9lobVZC3p
34 Million USD gone. Just like that. Locked in the contract forever.A lot of people put light on the grieving which locked processRefunds() for a bit, that was the first exploit.
Luckily that was unlocked, but funds are still locked forever. How?
🧵 1/
— 0xInuarashi (@0xInuarashi) April 23, 2022
It also had a caveat that the minimum number of bids must be equal to the total number of NFTs available for auction, which is 5,495. While the number of actual bids was more than this, the problem came from the fact that several buyers were using the same bid for multiple mints.
The result is that there are fewer bids than the total number of NFTs available for auction. Due to this reason, over $34 million in proceeds in the smart contract are locked forever and can’t be withdrawn.
Various developers warned AkuDreams’ about the vulnerability before the project went live, but the team did not heed the warnings.
The AkuDreams team pretended that this was a feature, not an exploit, when multiple developers raised concerns prior to mint. Bizarre justifications. pic.twitter.com/cVgEXnnWzF
— foobar (@0xfoobar) April 23, 2022
In a now-deleted tweet from the team, they labeled the bug as a feature when developers reached out to warn them about it.
The hacker decided to show them that an exploit isn’t a feature by executing a “griefing contract.”
This contract initially locked the ability to refund those who underbid, and the anonymous hacker embedded an on-chain message to let them know it was an exploit.
Dev team response
The AkuDreams team took responsibility and reversed the first exploit to allow refunds. However, the second exploit means that it can’t get back the $34 million stuck in the smart contract.
Quick Update (will go into more detail asap):
1. The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics. They unblocked the exploit quickly after we dug in and took ownership
— Aku :: Akutars (@AkuDreams) April 23, 2022
The project’s founder, Micah Johnson, has since apologized. In addition, the team released an update stating that the minting contract had been rewritten and audited. It also promised to refund pass holders.