AkuDreams suffers exploit, loses $34M in proceeds forever

The much-hyped non-fungible token task AkuDreams is disconnected to a rocky commencement aft an exploit caused $34 cardinal successful proceeds to beryllium locked successful a astute declaration forever. 

The hacker down the exploit was reportedly trying to exposure the vulnerabilities successful the code. The exploit resulted successful implicit 11,500 Ethereum (ETH) becoming inaccessible to the developer team.

The task went unrecorded connected April 22 utilizing a Dutch auction and opened astatine 3.5 ETH, and 5,495 NFTs retired of the full 15,000 NFTs successful the postulation were enactment up for sale. The astute declaration for the auction was programmed to refund everyone that underbid.

$34 cardinal locked forever

According to NFT developer 0xInuarashi, the smart contract was programmed to refund bidders earlier the squad could retreat funds. However, bugs successful the codification introduced vulnerabilities.

https://t.co/A9lobVZC3p
34 Million USD gone. Just similar that. Locked successful the declaration forever.

A batch of radical enactment airy connected the grieving which locked processRefunds() for a bit, that was the archetypal exploit.

Luckily that was unlocked, but funds are inactive locked forever. How?

🧵 1/

— 0xInuarashi (@0xInuarashi) April 23, 2022

It besides had a caveat that the minimum fig of bids indispensable beryllium adjacent to the full fig of NFTs disposable for auction, which is 5,495. While the fig of existent bids was much than this, the occupation came from the information that respective buyers were utilizing the aforesaid bid for aggregate mints.

The effect is that determination are less bids than the full fig of NFTs disposable for auction. Due to this reason, implicit $34 cardinal successful proceeds successful the astute declaration are locked everlastingly and can’t beryllium withdrawn.

Various developers warned AkuDreams’  astir the vulnerability earlier the task went live, but the squad did not heed the warnings.

The AkuDreams squad pretended that this was a feature, not an exploit, erstwhile aggregate developers raised concerns anterior to mint. Bizarre justifications. pic.twitter.com/cVgEXnnWzF

— foobar (@0xfoobar) April 23, 2022

In a now-deleted tweet from the team, they labeled the bug arsenic a diagnostic erstwhile developers reached retired to pass them astir it.

The hacker decided to amusement them that an exploit isn’t a diagnostic by executing a “griefing contract.” 

This declaration initially locked the quality to refund those who underbid, and the anonymous hacker embedded an on-chain connection to fto them cognize it was an exploit.

Source: 0xInuarashi

Dev squad response

The AkuDreams squad took work and reversed the archetypal exploit to let refunds. However, the 2nd exploit means that it can’t get backmost the $34 cardinal stuck successful the astute contract.

Quick Update (will spell into much item asap):

1. The exploit successful the declaration was not done retired of malice; the idiosyncratic intended to bring attraction to champion practices for highly disposable projects & caller mechanics. They unblocked the exploit rapidly aft we dug successful and took ownership

— Aku :: Akutars (@AkuDreams) April 23, 2022

The project’s founder, Micah Johnson, has since apologized. In addition, the squad released an update stating that the minting declaration had been rewritten and audited. It besides promised to refund walk holders.