Over the weekend, the highly anticipated nonfungible token (NFT) project called Akutars experienced both an exploit and a bug, resulting in the loss of over 11,500 Ether (ETH), which is valued at nearly $33 million. Unfortunately, this amount of funds has been permanently locked within a smart contract and is inaccessible to the development team.
However, it’s important to note that the exploit was not an attempt to steal funds via a hack. Instead, it was conducted by someone who wanted to demonstrate a vulnerability in the project.
The project launched on Friday with a Dutch Auction, which is a type of auction where the price gradually decreases until a bid is received. The first bid that meets or exceeds the reserve price wins the sale. The auction began at 3.5 ETH, with only 5,495 out of the total 15,000 NFTs available for sale. The smart contract was designed to refund any bidders who were underbid. Additionally, holders of an “Aku Mint Pass” were given a 0.5 ETH discount on each NFT they purchased.
The $33 million bug was explained in a Twitter thread by 0xInuarashi, a developer of multiple NFT projects. They revealed that Akutars’ smart contract was programmed in a way that required refunds to be processed before the development team could withdraw any funds. The contract had a condition that a minimum number of bids had to be made before withdrawals were allowed, but this minimum was equal to the number of NFTs available for auction. Unfortunately, due to some buyers minting multiple NFTs within a single bid, the contract will never unlock, effectively locking away the $33 million in ETH forever.
Cointelegraph reached out to the Akutars team for comment but did not receive an immediate response.
In a now-deleted tweet, Akutars acknowledged that developers had warned them about a potential exploit in their contract but dismissed it as a “feature.” However, during the minting process, an unknown individual executed a “griefing contract” that prevented the Akutars contract from processing refunds to underbidders. The individual even left a message on the blockchain for the Akutars team, stating their intention to stop the contract.
Akutars promptly took responsibility for the code and stated that the exploit was not malicious. They believed the person behind it intended to draw attention to best practices for high-profile projects. The project’s founder, Micah Johnson, a former professional baseball player, offered an apology to the community, acknowledging that they had let them down. Johnson pledged to continue building and working tirelessly to avoid similar issues in the future.
The team also announced that they would be issuing 0.5 ETH refunds to pass holders and airdropping the NFTs to successful bidders.
In an update on Sunday, the team revealed that they had rewritten their minting contract, which was then audited by multiple developers. They plan to proceed with the minting process on Monday.
Related: Hacker fails in DeFi exploit, leaving stolen $1 million in a self-destructing contract.
Note: The headline of this article has been updated from “$34M” to “$33M.”