Akutars, a 3D avatar NFT brand recently got locked out of its own funds,11,500 ETH, $33M in US dollars, due to an exploit and smart contract bug. The developers tried their best to recover the funds to refund people who didn’t win the NFT bid from the smart contract but failed to access it. The question arises, was it done out of malicious intent, or was it a coincidental bug accident?
Blockchain technology utilizes a tool called a smart contract, where all the data is stored in digital form. When someone wants to access that data, they need to meet certain conditions. If the conditions are not met, the contract remains locked forever with no possibility of unlocking it.
This is a dilemma for many people as some people look for their private key access and eventually get locked out from their own wallets. The same thing happened with Akutars.
Akutars’ Dutch Auction
Akutars is an NFT brand that recently launched an NFT project on Friday. The NFTs went live for bidding via Dutch Auction. In this type of auction, people place bids on an NFT by lowering the price until it receives a bid.
During this process, the platform collects bids from buyers, and once it is sold to someone, they refund the bid amounts.
Around 5,495 NFTs went on sale from Akutars with the starting bid of 3.5 ETH. People who had “Aku Mint Pass” would also receive a discount of 0.5ETH on each mint from the developers.
The smart contract: bug or exploit?
As soon as the project went live, people started minting huge numbers to score their NFTs.
Akutars’ smart contract was coded with a condition that the company cannot withdraw funds until the bidders were refunded. The contract also set a minimum amount of bids before the team could access it, which was equal to the amount of NFTs in the auction.
A few days before the project went live, a developer had pointed out that there was a bug within the smart contract that could lead to severe consequences; however, Akutars refused to recognize it and referred to it as a feature.
Since multiple NFTs were minted on the same bid by the buyers, the contract got locked away forever. The conditions can never be met, so no one could access the 11,500 ETH, $33M in US dollars, gathered from the bids.
Within the buyers, someone pulled a “griefing contract,” a term used when the owners are unable to access smart contracts, in Akutars case, they were unable to access refunds.
According to the Akutars developers, the smart contract lock wasn’t a malicious attempt but an “intended to bring attention to best practices for highly visible projects.”
The unknown person who exploited the smart contract also released a statement saying: “Well, this was fun, had no intention of actually exploiting this lol. Otherwise, I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”
Akutars developers explained the whole issue in the Twitter thread:
Later the project’s founder Micah Johnson apologized to the community and promised to refund all the underbid buyers as soon as possible. He tweeted:
The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku. & most everything will go back to refunds and we will keep building what we set out to do.
Brick by brick
The developers later updated the case by saying they had rewritten the minting contract, and are in the process of reviewing and auditing it.
Akutars careless decision to not review its smart contract before listing the NFT project cost them a huge loss of money. Smart contracts are almost impossible to access as there is no possible solution to undo the automated conditions in the blockchain.
Akutars’ will remain deprived of the $33M and will have to refund all the underbid buyers through its own funds. The $33M is forever sealed away in the blockchain.