The long-awaited Akutars NFT project was marred by an exploit and a bug over the weekend that resulted in over 11,500 Ethereum (ETH) worth nearly $33 million permanently locked in a smart contract beyond the reach of even the development team.
However, the exploit was carried out by someone who was trying to show a vulnerability in the project rather than steal funds through a hack.
The project was launched on Friday, April 22. It began with a Dutch auction, a type of bidding in which the price is reduced until a bid is received, with the first bid winning the sale as long as the price is above the reserve.
The auction opened at 3.5 ETH with only 5,495 of the available 15,000 NFTs listed for sale, and the smart contract was set to refund all bidders who offered a lower bid. Aku Mint Pass holders were also given a 0.5 ETH rebate on each minted NFT.
$33 million mistake
In an April 23 Twitter thread explaining the whopping $33 million error, 0xInuarashi, a developer behind several NFT projects, explained that the Akutars smart contract was coded in such a way that refunds to bidders had to be processed first before the team could withdraw any means.
There was a clause in the contract that a minimum number of bids must be made before allowing the team to opt out, but the minimum number of bids was set equal to the number of NFTs available for auction.
Unfortunately, due to some buyers issuing multiple NFTs in a single application, the terms of the contract mean it will never be unlocked, permanently sealing nearly $33 million in Ethereum.
A now-deleted tweet posted by Akutars, shared by DeFi developer foobar, says other developers contacted them warning that their contract could be attacked, but appear to have completely ignored the warning, calling the potential vulnerability a “feature.”
“The AkuDreams team pretended this was a feature and not an exploit when several developers raised concerns prior to release. Weird excuses,” wrote foobar.
During minting, an unknown person entered into a so-called “chagrin contract”, which blocked the ability of the Akutars contract to process refunds to those who underbid. This person even injected a message into the blockchain for the Akutars team saying that they would terminate the contract:
“Well that was fun, I didn’t intend to use it lol. Otherwise, I wouldn’t use Coinbase. As soon as you guys publicly admit that the exploit exists, I will immediately remove the block, ”he wrote.
Akutars then quickly responded by taking credit for the code and suggesting that the exploit “was not done out of malice” and the person “intended to draw attention to best practices for widely known projects”.
In a tweet the same day, project founder and former professional baseball player Micah Johnson apologized to the community, noting that after letting them down, he will “continue to build brick by brick” and work tirelessly to avoid any similar issues in the future.
The team also stated that they will be returning 0.5 Ethereum to pass holders, as well as giving away NFTs to successful bidders.
“Mistakes made cost no one more than me. I have reinvested almost everything in building Aku and almost everything is refundable, but we will continue to build what we set out to do. Brick by brick,” wrote Micah Johnson.
In an update posted on Sunday, April 24, the team revealed that they had rewritten their coinage contract, which was then reviewed by several developers, and plans to release the coinage on Monday, April 25th.