HoF, newsletter, NFT News
akutar, meows.eth, micah johnson, security
This is a setback and we wouldn’t wish this on anyone. The only silverlining in all of this is that it takes a team like the Akutar team to be able to survive something this catastrophic. We are still incredibly bullish on Micah Johnson and the Aku project. There is a lot of FUD right now in the space, a few threads attempted to remain agnostic about the situation that unfolded.
TL:DR:
Catastrophic mistakes in crypto are easy. one line of code cost $34m.
Exploit 1: processRefunds() able to get stuck
Exploit 2: bids count did not increment correctly with mint amount
Exploit 3: withdraw requires bids count to increment correctly
Final Caveat: funds stuck forever.
I would like to make some ending remarks but it’s hard to find the words.
Devs, and Artists, run the NFT space. I would suggest to never skimp out of them.
Good devs know and will demand their worth. Invest in audits. Invest in security.
I would never wish this upon anyone. It is truly gut wrenching and I am really sad to see this happen. – 0xInuarashi
Hi, let’s talk about the Akutars disaster. – A mint pass snapshot mechanism gone wrong that’s wrecking people on the secondary market – An exploit in the smart contract blatantly paraded as a “feature” by the team, resulting in $45mil in total ETH held hostage
series, always a positive thing 2. A true Dutch Auction where everyone pays the lowest price before selling out instead of punishing early buyers with higher prices.
What could have been done better with the Aku Drop:
Mintpasses. The team decided to snapshot all holders at 2pm ET for future Akutar distribution. Why is this bad? Because most of us don’t live on the internet keeping up to date with everything, let alone at 2pm ET on a business day. This means that even after the snapshot had taken place, people were still buying mintpasses thinking they would qualify for the Akutar. Some people attempting to purchase a mintpass had made global offers on all the major NFT marketplaces. After the snapshot had been taken, attentive sellers were able to slam offer accepts on high bids for their now-useless mintpasses, leaving these bidders with a useless bag. The easiest way to fix this was to allow mintpass holders to turn in their pass for an Akutar.
does anyone know any connect to devs at @AkuDreams
this is an urgent matter regarding their drop.
— hasan (@notchefbob) April 22, 2022
AkuDreams did a 3.5e Dutch Auction today that refunded anyone who purchased above the final resting price…but their contract was poorly written and had is susceptible to a griefing exploit that would cause the minting funds in the contract to be locked
Hasan tried to tell them
— bender (@0xBender) April 22, 2022
What they could have done differently:
- Enlist the help of third-party auditing firms to look for exploits in your smart contract before you release it.
- Set up a bug bounty program.
- Not brush off concerns from security researchers as unwarranted FUD.
This was a project that had a lot of attention, fanfare, and good intentions. They did some good things, but they overlooked all of the technical aspects of the project and it resulted in an overly complicated smart contract which the team did not understand.
As a result of this disaster, the fears of “unwarranted FUD” have materialized to become substantiated, deserved criticism. While we should be mindful of Hanlon’s Razor, we need to ask ourselves why high profile projects often end up delivering such stressful experiences.
https://t.co/A9lobVZC3p
34 Million USD gone. Just like that. Locked in the contract forever.A lot of people put light on the grieving which locked processRefunds() for a bit, that was the first exploit.
Luckily that was unlocked, but funds are still locked forever. How?
🧵 1/
— 0xInuarashi (@0xInuarashi) April 23, 2022