The highly anticipated nonfungible token (NFT) project Akutars experienced setbacks over the weekend, as both an exploit and a bug resulted in over 11,500 Ether (ETH) being permanently locked within a smart contract, with no access even for the development team.
However, the exploit was not an attempt to steal funds through a hack, but rather someone trying to demonstrate a vulnerability in the project. The project launched on Friday with a Dutch Auction, where the price decreases until a bid is received, and the first bid above the reserve wins the sale.
The auction began at 3.5 ETH, with only 5,495 of the 15,000 available NFTs up for sale. The smart contract was designed to refund bidders who were underbid, and holders of an “Aku Mint Pass” received a 0.5 ETH discount on each NFT.
The $33 million bug was explained in a Twitter thread on Saturday by 0xInuarashi, a developer of multiple NFT projects. The smart contract for Akutars was coded so that refunds had to be processed before the team could withdraw any funds. However, a minimum number of bids was required for the team to withdraw, and this minimum was set equal to the number of NFTs available for auction.
Unfortunately, due to some buyers minting multiple NFTs within the same bid, the contract terms prevent it from unlocking, effectively sealing away the $33 million in ETH forever. Cointelegraph reached out to the Akutars team for comment but did not receive an immediate response.
The exploit occurred when an unknown individual executed a “griefing contract” during the mint, which prevented the Akutars contract from processing refunds to underbidders. The individual even left a message on the blockchain, informing the Akutars team that they would stop the contract.
Akutars quickly took responsibility for the code, stating that the exploit was not malicious and that the person intended to bring attention to best practices for highly visible projects. The project’s founder, Micah Johnson, a former pro-baseballer, apologized to the community and promised to continue building and working to avoid similar issues in the future.
The team announced that it would issue 0.5 ETH refunds to pass holders and airdrop the NFTs to successful bidders. They also stated that they had rewritten the minting contract, which was audited by several developers, and planned to mint on Monday.
In an unrelated incident, a hacker mistakenly left stolen $1 million in a DeFi exploit contract set to self-destruct. The headline of this article has been updated from “$34M” to “$33M.”