This is a setback and we wouldn’t wish this on anyone. The only silverlining in all of this is that it takes a team like the Akutar team to be able to survive something this catastrophic. We are still incredibly bullish on Micah Johnson and the Aku project. There is a lot of FUD right now in the space, a few threads attempted to remain agnostic about the situation that unfolded.
This is a summary of the Akutar contract review provided by fellow @RedBeadnDAO member and friend meows.eth.
Catastrophic mistakes in crypto are easy. one line of code cost $34m.
Exploit 1: processRefunds() able to get stuck
Exploit 2: bids count did not increment correctly with mint amount
Exploit 3: withdraw requires bids count to increment correctly
Final Caveat: funds stuck forever.
I would like to make some ending remarks but it’s hard to find the words.
Devs, and Artists, run the NFT space. I would suggest to never skimp out of them.
Good devs know and will demand their worth. Invest in audits. Invest in security.
I would never wish this upon anyone. It is truly gut wrenching and I am really sad to see this happen. – 0xInuarashi
Hi, let’s talk about the Akutars disaster. – A mint pass snapshot mechanism gone wrong that’s wrecking people on the secondary market – An exploit in the smart contract blatantly paraded as a “feature” by the team, resulting in $45mil in total ETH held hostage
Akutars are a pfp collection of the popular @akudreams project by @Micah_Johnson3. They recently announced the Akutars project and airdropped existing @akudreams collectors mintpasses to claim Akutars along with a separate Dutch Auction for new collectors to purchase.
Two things they did really well in this drop: 1. Rewarding existing collectors of the @akudreams
series, always a positive thing 2. A true Dutch Auction where everyone pays the lowest price before selling out instead of punishing early buyers with higher prices.
What could have been done better with the Aku Drop:
Mintpasses. The team decided to snapshot all holders at 2pm ET for future Akutar distribution. Why is this bad? Because most of us don’t live on the internet keeping up to date with everything, let alone at 2pm ET on a business day. This means that even after the snapshot had taken place, people were still buying mintpasses thinking they would qualify for the Akutar. Some people attempting to purchase a mintpass had made global offers on all the major NFT marketplaces. After the snapshot had been taken, attentive sellers were able to slam offer accepts on high bids for their now-useless mintpasses, leaving these bidders with a useless bag. The easiest way to fix this was to allow mintpass holders to turn in their pass for an Akutar.
Response to concerns. Being attentive and responsive when a security researcher attempts to contact you about an exploit.@notchefbob attempted to contact the team about a major exploit in the contract during the auction.
Instead of taking the exploit seriously, the team called the bug a feature. https://twitter.com/AkuDreams/status/1517635935994892297…
The incredible @0xBender wrote a very good thread about how the exploit was done
What they could have done differently:
- Enlist the help of third-party auditing firms to look for exploits in your smart contract before you release it.
- Set up a bug bounty program.
- Not brush off concerns from security researchers as unwarranted FUD.
This was a project that had a lot of attention, fanfare, and good intentions. They did some good things, but they overlooked all of the technical aspects of the project and it resulted in an overly complicated smart contract which the team did not understand.
As a result of this disaster, the fears of “unwarranted FUD” have materialized to become substantiated, deserved criticism. While we should be mindful of Hanlon’s Razor, we need to ask ourselves why high profile projects often end up delivering such stressful experiences.
There’s more! The talented @0xInuarashi has a followup thread that goes deeper into a second-order consequence of this exploit:
Published By : NFT Culture