Skip to content

Exploit + Bug = $33M locked

The development team of Akutars, a highly anticipated NFT project, encountered an exploit and a bug in the smart contract, which disrupted…


The development team of Akutars, a highly anticipated NFT project, encountered an exploit and a bug in the smart contract, which disrupted the auction and led to the blocking of more than 11,500 ETH inside the smart contract. Bad luck or a thoughtful advertising campaign?

On Friday (04.22), the sale of NFT Akutars began with a Dutch auction, a type of auction in which the price is decreased until the first bid is made. At the same time, the first bid wins the auction if the price has not fallen below the reserve.

The auction started with 3.5 ETH, only 5495 of the 15,000 available NFTs were placed. The smart contract was set up to refund funds to all bidders who were underbid. The owners of “Aku Mint Pass” were also given a discount of 0.5 ETH for each minted NFT. In general, nothing foreshadowed trouble.

But, already on Saturday, a loud discussion broke out on Twitter. Everyone was trying to figure out how nearly $34 million was lost forever. A user with the nickname 0xInuarashi, concurrently a developer of multiple NFT projects, was able to explain what was happening:

0xInuarashi explained that the Akutars smart contract was coded in such a way that refunds to bidders had to be processed first, before the team could withdraw any funds. The contract had the following condition: a minimum number of bets must be made before it allows the team to withdraw money from the account.

But the minimum number of bids was set equal to the number of NFTs available for auction. In turn, some users were minting several NFTs at once in one request. This did not allow fulfilling the condition of the smart contract and access to $33 million was permanently closed even for developers.

The situation with the exploit helps to understand the Akutars tweet, which was later deleted. But, the Internet remembers everything, so you can get acquainted with it:

Several independent developers warned the Akutars team that there was a vulnerability in the contract, but the warning was ignored. Moreover, the potential vulnerability was called a feature.

Right during mint, an unknown user signed the so-called “griefing contract”, which blocked the possibility of the Akutars contract to process refunds to those who made a lower bid. The user even embedded a message to the Akutars team in the blockchain, which said that the contract would be blocked until Akutars publicly confirmed the existence of the exploit:

Akutars reacted quickly enough and wrote the following tweet, in which they took responsibility for the code:

Later, the project’s founder and former pro-baseballer Micah Johnson promised on Twitter that he would work tirelessly to avoid similar mistakes in the future:

On Sunday, a day after the failure, the development team announced that the smart contract had been rewritten and rechecked, and mint is planned for Monday:

In general, Akutars’ reputational losses are small, $33M was lost from the money, which is not so much by the standards of the crypto industry. In addition, there is a strange situation with an exploit that the team was warned about and which was offered as a feature. These factors give me an idea. Isn’t this a planned promotional event?

Query statistics (“Akutars”, “Akutars nft“, ”Akudreams”) on Google Trends clearly shows the jump in popularity of the above topics. And the peak comes just at the weekend — the time when the bug and exploit were actively discussed:

After the exploit was discussed on Twitter, many news outlets began to write about this event, which also fuelled the interest of the audience. And what did it lead to? As follows from the Mintalytics charts, for the period 04.27–05.01 (just after a lot of news about the errors of the Akutars team appeared), total volume increased by 26.3%, and total sales by 37%:

Total volume of Akutars NFT collection
Total sales of Akutars NFT collection

I will not claim that all of the above facts have a connection. Draw your own conclusions. See you soon!