Aku Ethereum NFT Launch Ends With $34M Locked in Flawed Smart Contract
A hotly anticipated Ethereum NFT launch on Friday went seriously awry when apparent flaws in the project’s underlying code (or smart contract) locked away $34 million worth of ETH, which now apparently can't be accessed by the creators or NFT buyers.
The launch was for Akutars, a 3D avatar project and the latest release based on Aku, an original character created by former Major League Baseball player Micah Johnson. The character is a young Black boy who dreams of becoming an astronaut, as inspired by a real-life question posed by Johnson’s nephew.
The Akutars project spans 15,000 Ethereum avatars with randomized traits, with owners of earlier Aku NFTs granted a free avatar for each piece they held. The remaining 5,500 avatar NFTs launched on Friday via a Dutch Auction format starting at 3.5 ETH (about $10,350 at the time), with the price gradually decreasing.
Once the launch started, however, a Twitter user named Hasan warned of an issue with the smart contract—and wrote that he was told by Aku’s developers that he was “wrong” and was assured that there were failsafes in place to prevent the issue.
However, someone going by the name USER221 then triggered the suspected exploit, which apparently halted both Ethereum withdrawals and refunds from the contract, according to a thread by Ethereum developer 0xInuarashi.
Alongside the exploit came a note urging the developers to “please do bug bounty on your contracts or have them audited at least.” USER221 then sent a separate note attached to an Ethereum transaction, writing that they would effectively unlock the project.
“Well, this was fun, had no intention of actually exploiting this lol,” they wrote. “Otherwise I wouldn't have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”
The project started working again, but then another, separate bug popped up. As 0xInuarashi’s thread describes, a flaw in the Aku developers’ smart contract code failed to account for multiple NFT mints within the same transaction, and the contract requires the numbers to line up properly to enable withdrawals of any kind.
Ultimately, the end result is that 11,539 ETH—worth about $34 million as of Friday—is locked within the automated smart contract, which appears to be permanently stuck. Aku’s creators won't be able to withdraw any funds from the sale, and NFT owners who held an Akutar Mint Pass NFT can't receive their promised 0.5 ETH refunds from it.
Aku’s next steps
In a postmortem Twitter thread on Friday night, the Aku team wrote that the aforementioned exploiter (USER221) was only trying to help diagnose a buggy smart contract.
“The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics,” the project tweeted. “They unblocked the exploit quickly after we dug in and took ownership.”
Johnson also apologized on Twitter for pushback to developers who first recognized the problems in the smart contract code. “I completely own up to that,” he wrote. “I'm unfortunately not a developer and spoke prematurely about what I understood wasn’t a problem but ended up being. I’m really really sorry.”