NFT project Aku Dreams saw about $34 million worth of Ethereum (ETH) locked permanently after a recent exploit triggered a fatal bug in the smart contract.
The project was first attacked by an exploiter that blocked refunds to users who had bid for certain NFTs in the project. But the attack intended to expose a vulnerability in the project, and was quickly reversed.
However, a damaging side effect of the attack was that about $34 million worth of ETH will be locked into the contract forever. The funds will be completely inaccessible to even the developers of Aku Dreams.
Aku Dreams was created by former baseball player Micah Johnson, and is centered around the virtual character Aku. The collection was featured in a real-life exhibition last year.
Aku Dreams NFT sees botched launch
The faulty code came to light just as Aku Dreams launched the minting of its new collection, Akutars. Users had noted some issues with the launch even before the $34 million came to light.
The developer acknowledged the bug, and said it intended to issue refunds to any affected users.
The refunds to passholders of .5ETH per bid have not yet been issued… the contract has locked remaining funds. We will never be able to access them.
[email protected]
An analysis by blockchain security firm BlockSec showed that there were two key vulnerabilities in the contract. The first is in faulty code over processing refunds, which has so far not been exploited.
The second is a software bug, specifically in a function that allows the project owner to claim funds locked into the contract.
By design, the contract would first process all refund claims and only then allow the developer to withdraw funds. But due to faulty code, the contract thinks that total refund bids are higher than the amount locked into the contract, and as such, has frozen withdrawals indefinitely.
The aftermath
Blocksec joined several other Twitter users in chiding Aku Dreams for not conducting an smart contract audit. Social media users also criticized the fact that a project of such scale had faulty contracts, something also seen with a recent NBA NFT mint.
The project saw several developers offering to help retrieve the lost funds, although it remains unclear how it would be possible. The smart contract covering the funds is non-updateable, meaning the funds are locked there for the forseable future.
Some users likened the lock to an impromptu ETH burn.