Akutars is a collection of 15,000 3D avatar NFTs on the Ethereum blockchain. The project was developed by Aku Dreams, a studio headed by retired pro baseball player Micah Johnson. Johnson is an artist, and he has been selling NFTs since as early as 2020. Akutars is his most ambitious project to date.
Aku Dreams did its Akutars launch using a Dutch auction to determine the price of the NFTs. Unfortunately, the smart contracts that execute the business logic of the Dutch auction were buggy. Internet commenters were quick to blame the devs for writing and releasing buggy code, but it's possible the decision to a launch the project via Dutch auction came late in the development process, following the buzzy Anata NFT drop–also via Dutch auction. Internet complainers noted that Aku Dreams' Dutch auction code was trivial to hack and that any auditor would have caught the mistakes. To me, this suggests the devs had to rush to get the project out and there was no time for an audit or even a testnet shakeout.
On April 22, smart contract researcher hasan tweeted about the vulnerability. Despite hasan's calls for an audit of the Akutar NFT auction smart contracts, the Aku Dreams team reportedly dismissed hasan's warnings as FUD and continued with the Dutch auction.
A griefer–similar to a hacker, except a griefer gives the money back eventually–exploited the Dutch auction refund logic to lock the refunds in a halfway state. The griefer made fun of the Aku Dreams devs using messages on the blockchain for a while, then released the funds. This set off a race for auction participants to get their refunds before a less friendly hacker exploited the same bug.
Hey, if you start processing refunds and a bidData.bidder.call fails and refunds get stuck, the people who have already been refunded, won't be able to retrieve the rest of their funds using emergencyWithdraw and you guys can't use claimProjectFunds() either because of require(refundProgress >= totalBids, "Refunds not yet processed");. Please do bug bounty on your contracts or have them audited at least.
- Grief message on the Ethereum blockchain
The second is a software bug, specifically in a function that allows the project owner to claim funds locked into the contract.
By design, the contract would first process all refund claims and only then allow the developer to withdraw funds. But due to faulty code, the contract thinks that total refund bids are higher than the amount locked into the contract, and as such, has frozen withdrawals indefinitely.
Today, 11.5k ETH is still locked in that contract. Aku Dreams claims it has hired smart contract devs to try to recover the locked ETH and offer refunds. There is no timeline for resolution.