Smart-contract fault in AkuDreams NFT project leads to $34 million loss

An error by the AkuDreams team caused the project’s Dutch auction to end with users’ funds lost. More than 11,539 ETH (~$33.93 million) were permanently locked in the smart contract of AkuDreams. They cannot be withdrawn by individual users or by the project team.

$34 million, or 11,539 ETH, is permanently locked into the AkuDreams contract forever. It cannot be retrieved by individual users or by the dev team.

The refund processing, which is complete, sets each bid status to 1. pic.twitter.com/6GnQPnddC6

— foobar (@0xfoobar) April 23, 2022

“$34 million, or 11,539 ETH, are permanently locked in the AkuDreams smart contract. They cannot be withdrawn by individual users or by the project team,” wrote the developer under the nickname 0xfoobar.

As a result of the auction, the losing participants were to claim their ETH, but due to an error in the contract logic they cannot use the emergencyWithdraw () function, which is responsible for withdrawing funds.

According to 0xfoobar, the project team also has no ability to withdraw assets “due to faulty increment arithmetic”.

The AkuDreams team confirmed the bug and stressed that the incident occurred as a result of an “unintentional exploit”. The founder of the NFT project Gangster All Star, known as 0xInuarashi, explained that “someone managed to disrupt the operation of processRefunds (), by placing a bid from a contract.”

3/ This was the cause of the more-so-well-known exploit of a griever contract that can call the bid function (because they did not disable contract calling) which as a fallback that fails.

In short, someone could have bid and broke the processRefunds() by bidding from a contract

— 0xInuarashi (@0xInuarashi) April 23, 2022

The AkuDreams developers said they would compensate users’ losses (0.5 ETH to each affected). Refunds will be issued on Monday or Tuesday — drawing from the project’s treasury reserve.

Update:

.5E Refunds for Pass Holders
— Will be honored
— ETA: Monday/Tuesday
— Why? Bank opens Monday. Money from Chapter treasury will be used.

Akutars
— Will be airdropped
— Auditing contract to ensure accuracy
— ETA: Sunday

— Wait for the official Akutar OpenSea link

— Aku :: Akutars (@AkuDreams) April 23, 2022

As a reminder, in March an unknown stole $790,000 from holders of the Rare Bears NFT collection.

Read ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analytics.