AkuDreams suffers exploit, loses $34M in proceeds forever

The much-hyped non-fungible token project AkuDreams is off to a rocky start after an exploit caused $34 million in proceeds to be locked in a smart contract forever. 

The hacker behind the exploit was reportedly trying to expose the vulnerabilities in the code. The exploit resulted in over 11,500 Ethereum (ETH) becoming inaccessible to the developer team.

The project went live on April 22 using a Dutch auction and opened at 3.5 ETH, and 5,495 NFTs out of the total 15,000 NFTs in the collection were put up for sale. The smart contract for the auction was programmed to refund everyone that underbid.

$34 million locked forever

According to NFT developer 0xInuarashi, the smart contract was programmed to refund bidders before the team could withdraw funds. However, bugs in the code introduced vulnerabilities.

It also had a caveat that the minimum number of bids must be equal to the total number of NFTs available for auction, which is 5,495. While the number of actual bids was more than this, the problem came from the fact that several buyers were using the same bid for multiple mints.

The result is that there are fewer bids than the total number of NFTs available for auction. Due to this reason, over $34 million in proceeds in the smart contract are locked forever and can’t be withdrawn.

Various developers warned AkuDreams’  about the vulnerability before the project went live, but the team did not heed the warnings.

In a now-deleted tweet from the team, they labeled the bug as a feature when developers reached out to warn them about it.

The hacker decided to show them that an exploit isn’t a feature by executing a “griefing contract.” 

This contract initially locked the ability to refund those who underbid, and the anonymous hacker embedded an on-chain message to let them know it was an exploit.

Source: 0xInuarashi

Dev team response

The AkuDreams team took responsibility and reversed the first exploit to allow refunds. However, the second exploit means that it can’t get back the $34 million stuck in the smart contract.

The project’s founder, Micah Johnson, has since apologized. In addition, the team released an update stating that the minting contract had been rewritten and audited. It also promised to refund pass holders.

Posted In: Ethereum, Hacks
Symbiosis

Source: https://cryptoslate.com/akudreams-suffer-exploit-locked-out-of-34-million-proceeds-forever/