Bug in smart contract of AkuDreams NFT project resulted in loss of $34 million

“$34 million, or 11,539 ETH, is permanently locked in smart contract AkuDreams. They cannot be retrieved by individual users or the project team,” wrote the developer under the nickname 0xfoobar.

At the end of the auction, the losing participants were supposed to withdraw their ETH, but due to an error in the contract logic, they cannot use the emergencyWithdraw() function responsible for withdrawing funds.

According to 0xfoobar, the project team is also unable to withdraw assets “because of incorrect increment math.”

AkuDreams Team confirmed information about the error and emphasized that the incident occurred due to a “non-malicious exploit”. The founder of the NFT project Gangster All Star, 0xInuarashi, explained that “someone was able to break processRefunds() by placing a bet from a contract.”

3/ This was the cause of the more-so-well-known exploit of a griever contract that can call the bid function (because they did not disable contract calling) which as a fallback that fails.

In short, someone could have bid and broke the processRefunds() by bidding from a contract

— 0xInuarashi (@0xInuarashi) April 23, 2022

The developers of AkuDreams stated that they would compensate for the losses of users (0.5 ETH for each victim). The refund will be made on Monday or Tuesday – for this, the reserve of the project treasury will be used.

Update:

.5E Refunds for Pass Holders
– Will be honored
– ETA: Monday/Tuesday
– Why? Bank opens Monday. Money from Chapter treasury will be used.

Akutars
– Will be airdropped
– Auditing contract to ensure accuracy
– ETA: Sunday

– Wait for the official Akutar OpenSea link

— Aku :: Akutars (@AkuDreams) April 23, 2022

Recall that in March, an unknown stole $790,000 from the owners of the Rare Bears NFT collection.