The team behind AkuDreams, a much-anticipated non-fungible token (NFT) project that went live on Friday, has announced a rewritten mint code after flaws in the first smart contract code had resulted in a reported USD 34m locked “forever.”
In an update on Sunday, the project said that Anonymice, the team behind several NFT projects, “has rewritten our minting contract and several developers have been reviewing and auditing.”
AkuDreams is a 3D astronaut-themed NFT project launched by Micah Johnson, an artist and former professional baseball player. The project consists of 15,000 Ethereum (ETH) avatars with randomized traits.
On Friday, 5,500 of the NFTs were auctioned via a Dutch Auction format, where prices started at ETH 3.5 (USD 9,960) and continued dropping. In the end, the lowest bid would set the final price for the NFT while those who had bid higher would be refunded.
However, the mint was not seamless as several flaws with the code surfaced. At first, an exploiter used a bug in the contract to stop all refunds and withdrawals from the contract, meaning that those who had bid above the final NFT price were not refunded.
Luckily, the exploiter only asked the team to acknowledge the issue while stressing the importance of investing in security.
“Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn’t have used coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately,” the exploiter said in an on-chain message.
In a Twitter post, the team took responsibility and the exploiter unblocked the exploit. However, the project soon faced more issues — a part of the funds have been locked and the team “will never be able to access them.”
According to a thread by pseudonymous developer 0xInuarashi, a flaw in the code failed to account for users minting multiple NFTs in a single transaction.
“A require of refundProgress >= totalBids was made,” 0xInuarashi detailed, adding that the assumption is that all refunds have to be processed before withdrawing.
0xInuarashi said that refundProgress can never go above 3669, while totalBids is 5495 items. Since the code requires refundProgress to be higher or equal to totalBids, 0xInuarashi concluded that “the team will never be able to withdraw their ETH,” worth around USD 34m.
“The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku,” Johnson tweeted, adding that “most everything will go back to refunds and we will keep building what we set out to do. Brick by brick.”
____
Learn more:
– Moonbirds Collection Faces Criticism After User Wins 50+ NFTs During Raffle
– NFT Traders, Beware of Social Engineering Hacks
– North Korea’s Lazarus Group Behind Axie Infinity’s Ronin Hack, Say US Treasury, FBI
– ApeCoin Smart Contract Exploited, ‘Well-Prepared Claimer’ Walks Away With USD 380K
– Most Valuable Bored Ape Yacht Club Exhibition in Hong Kong Worth over 100 Million HKD
– ZRX Token Skyrockets as Coinbase Teams Up with 0x for NFT Marketplace