What the hell happened?
11,539.5 ETH, valued at over $34 million USD, has been magically vanished into a contract… possibly forever. This has left hundreds of people indefinitely locked out of funds, and reveals weaknesses in Ethereum infrastructure that must be addressed.
The disaster in question involves the drop of Akutars, an NFT pfp project set to launch on April 22. An offshoot of the wildly successful Aku NFT series, the Akutar pfp drop was meant to usher in the expansion of the Akuverse, which includes partnerships with brands like Puma, Billionaire Boys Club, and Paper Planes.
But on the day of the much-hyped drop, something went horribly, horribly wrong. The lowest bid set the price for everyone, so higher bidders were supposed to get their excess funds back. But they weren’t getting them. Nor could the Akutars team withdraw any funds. Now millions of dollars are literally locked up in this contract, with no one able to access it.
What went wrong?
This massive loss, as explained by Web 3 developer 0xInuarashi, was the result of two problems: an exploit in the contract and a bug in the code. The contract exploit was embedded in the operation processRefunds(), in which a bid with a malicious contract fails when it receives ETH, which thus makes the refund function fail, ending the refund process.
As can be seen on Etherscan, tons of failed transactions and refunds took place in the last couple of days.
It was later revealed anonymously that the use of the exploit was a demonstration, with no malicious intent. The block was then removed and refunds could be processed. Crisis averted, right? Wrong. While the processRefunds function started working again, and people were getting their ETH back, there turned out to be another problem with the code. This bug, apparently an unfortunate accident, has indefinitely locked the funds from Akutars.
How, you ask? According to the code, it is required that refundProgress be smaller than the bid index, which after the mint-out was 3669, and it is also required that refundProgress be greater than total bids. Thus, if total bids is higher than refundProgress, the project cannot withdraw any funds. And the value of total bids? 5495. Which is always higher than 3669. So the function is literally stuck, forever.
Because the code failed to take into account the possibility of multiple mints per account, it led to the fatal infinite feedback loop in the code. These fixed numbers thus placed a permanent block in the process.
Why so much money?
As Akutars was based off an already highly successful NFT project, hype was high, so lots of people were eager to get in on the initial drop. In fact, the number of locked-up ETH could have been much higher, as the high bidders were able to get their refunds in the end. The main problem right now is that no one on the Akutars team can access those funds at all.
Was it a rug?
Considering that Akutars comes from an established project, and the fact that no one can access the funds, it’s more likely to have been an honest (if catastrophic) mistake than a malicious rug-pull. Akutars have worked on a new minting contract with @Mouse_Dev, which is now available for public review on GitHub. As of press time, it’s uncertain what else Akutars will do next, and it remains to be seen how much of a hit to their reputation this event will be.
Invest in Devs
The most unfortunate aspect of this is that it all could have been prevented. The Akutars team may have thought they had done their best and accounted for all possible problems, but this disaster has shown that they could have done more.
Even in crypto, you can never take devs and online security for granted. All electronic transactions are vulnerable to exploits, and investing in good development and security will pay off well in the long run. Constant testing, no matter how experienced or confident you are in the integrity of the code, will also help catch catastrophic bugs in the code. And when people’s money and investments are on the line, it’s all the more critical to hire good developers, the often unsung heroes of the internet age.