The team behind AkuDreams, a much-anticipated non-fungible token (NFT) project that went live on Friday, has announced a rewritten mint code after flaws in the first smart contract code had resulted in a reported USD 34m locked “forever.”
In an update on Sunday, the project said that Anonymice, the team behind several NFT projects, “has rewritten our minting contract and several developers have been reviewing and auditing.”
We’re so happy to help. The more we can do for each other in this space the better.
Anonymice 🤝 Akutars#akutars #anonymice #web3 https://t.co/qobv4BkkjH— Anonymice (@AnonymiceNFT) April 24, 2022
AkuDreams is a 3D astronaut-themed NFT project launched by Micah Johnson, an artist and former professional baseball player. The project consists of 15,000 Ethereum (ETH) avatars with randomized traits.
On Friday, 5,500 of the NFTs were auctioned via a Dutch Auction format, where prices started at ETH 3.5 (USD 9,960) and continued dropping. In the end, the lowest bid would set the final price for the NFT while those who had bid higher would be refunded.
However, the mint was not seamless as several flaws with the code surfaced. At first, an exploiter used a bug in the contract to stop all refunds and withdrawals from the contract, meaning that those who had bid above the final NFT price were not refunded.
Luckily, the exploiter only asked the team to acknowledge the issue while stressing the importance of investing in security.
“Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn’t have used coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately,” the exploiter said in an on-chain message.
In a Twitter post, the team took responsibility and the exploiter unblocked the exploit. However, the project soon faced more issues — a part of the funds have been locked and the team “will never be able to access them.”
3. However, the refunds to passholders of .5ETH per bid have not yet been issued. An unfortunate byproduct of #2 (partial refunds before ALL refunds were issued) is that the contract has locked remaining funds. We will never be able to access them.
— Aku :: Akutars (@AkuDreams) April 23, 2022
According to a thread by pseudonymous developer 0xInuarashi, a flaw in the code failed to account for users minting multiple NFTs in a single transaction.
“A require of refundProgress >= totalBids was made,” 0xInuarashi detailed, adding that the assumption is that all refunds have to be processed before withdrawing.
0xInuarashi said that refundProgress can never go above 3669, while totalBids is 5495 items. Since the code requires refundProgress to be higher or equal to totalBids, 0xInuarashi concluded that “the team will never be able to withdraw their ETH,” worth around USD 34m.
20/ A summary
Exploit 1: processRefunds() able to get stuck
Exploit 2: bids count did not increment correctly with mint amount
Exploit 3: withdraw requires bids count to increment correctly
Final Caveat: funds stuck forever.
— 0xInuarashi (@0xInuarashi) April 23, 2022
“The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku,” Johnson tweeted, adding that “most everything will go back to refunds and we will keep building what we set out to do. Brick by brick.”
Special thanks to everyone that stepped in and helped us get to this point. It's an unfortunate situation to be in- tomorrow we start fresh and get back to building!
— Aku :: Akutars (@AkuDreams) April 25, 2022
Source: Cryptonews