A bug cost Akutar NFTs $34 million – what can we learn about NFTs from it?

The world of non-fungible tokens (mostly known as NFTs) is still extremely popular. There are almost daily news  about artists, athletes or celebrities entering this world either by buying different NFTs or by creating and releasing their own collections. Micah Johnson, a star MLB player, decided to do the latter and created Aku and Akutars NFT, which however, stumbled upon a problem recently. What happened?

What are Akutars?

Before we look at what led to a loss of 34 million dollars, let’s first look at what exactly Akutars are and why was this NFT launch so anticipated. Akutars are 3D avatars, who are describing a story of a young Black boy, Aku, who has a dream of becoming an astronaut. According to Micah, he decided to create the story of Aku based on the questions of his 4-year-old nephew.

Examples of different Akutars

The collection of Akutars has 15,000 Ethereum avatars with different traits. Micah tells the story of the young astronaut through “Chapters” which represent a part of the life of Aku. They are also used in different distributions of newly created NFTs, where the owner of 4 unique chapters receives an “O.G. Trait.”

Moreover, as with other NFTs, the Akutars have also more use cases than just a collectible function. The owners of Akutars are granted a holder entry to the Akuverse, an ever-evolving Metaverse. As is common, the holders also gain different accesses for future collaborations, experiences and many more.

What went wrong?

As was mentioned earlier, the whole collection right now has 15,000 Ethereum avatars. About 5,500 Akutars were supposed to be distributed on Friday the 22nd of April, with the airdrop happening under a very specific set of rules such as maximum minting of 3 Akutars or dropping of 0.1 ETH from the price of Akutar after every 6 minutes.

Problems straight from the start

Unfortunately, after the launch, which was supposed to take the form of a Dutch Auction, problems arose. A twitter user named Hasan, who is regarded as a security expert in the field, informed that he needed a contact on anyone from the Aku Team regarding a bug that he found in the code.

Sadly, he was told by the developers of Aku that what he believes is a bug, is actually a “feature” of the whole smart contract. But that is only where the problems turned for the worse. Someone named USER221 was able to trigger the suspected exploit, which Hasan warned about. That led to the halting of withdrawals and refunds of ETH from the smart contract.

As it turned out, USER221 never had malicious intentions. He even stated the following:

“Well, this was fun, I had no intention of actually exploiting this lol. Otherwise, I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”

The only thing that he wanted was for Aku’s team to take ownership of this mistake, which is something they did pretty quickly. And just as he promised, he unblocked the exploit right after that.

The worse was only about to come

Sadly, while this bug was resolved, the second bug appeared. As described by 0xInuarashi, Aku developers’ failed to account for multiple NFT mints, which would be occurring during the same transaction, which requires the contract numbers to line up properly. If that does not happen, the withdrawals of any kind are not possible, which is exactly what happened.

More than 11,539 ETH, worth over 34 million dollars at the time of the bug discovery, are now locked within an automated smart contract. Yet, the smart contract appears to be permanently stuck, meaning that neither the developers, nor users, got what they wanted.

Total ETH lost, Source: Twitter.com

While the creators of Aku will not be able to withdraw any funds from the sale, the owners of the NFTs will not be able to receive their promised 0.5 ETH refunds, leading to a stalemate situation in which neither side is getting “what was promised.”

Too late for apologies

After all these mistakes that happened, Micah Johnson issued several apologies. He not only owned up to the mistakes and problems with the smart contract, but also blamed himself for speaking prematurely about a problem that he did not fully understand. One of his statements is  as follows:

“The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku, and most everything will go back to refunds and we will keep building what we set out to do. Brick by brick.”

While he specified that some refunds will be issued, which will most likely be in the size of 0.5 ETH to all the Akutar Pass Holders, these will come from a different treasury of previous Aku NFT sale. The team behind Aku has already released a new version of a code, through which they will be able to distribute the Akutar NFTs to the buyers.

What can we learn?

Lessons can be learnt on so many levels from the situation around the launch of this NFT collection. First of all, as was very swiftly pointed out by the community, the developers of Akutar should have used a third-party auditing firm that would properly audit the code. In this case, only one line of code that prevented the withdrawal from the smart contract meant that more than 34 million dollars are probably locked away forever. This could have been easily prevented, had the team behind the creation of this NFT collection followed proper security measures.

Secondly, if the team listened immediately to people like Hasan or 0xInuarashi, who warned about possible exploits, a lot of this could have been prevented. They were even lucky that USER221, who was able to exploit one of the bugs, reverted his steps right after the team owned up to the mistake.

This is also where a third lesson comes in, but that is mostly for the investors or owners of NFTs. If you are joining a world of NFTs, which is pretty risky on its own, you should do proper due diligence. While knowing that there are possible mistakes in the code is something that not everyone is capable of, in this case, the only thing that was necessary was monitoring Twitter. Since most of the warnings about bugs and possible exploits came from people on Twitter, this would have been an easy red flag that could have prevented any investor from putting money into a contract that is now permanently locked.

Is creation of a safe NFT still too difficult?

The whole situation around Aku NFT only points out how complex and risky investing into NFTs is. The same applies for creation of such collectibles, since in this case, literally one line of code has ended up locking a fortune (worth close to 34 million dollars). Simply put, you can never be too careful about NFTs, especially since they are still in an extremely nascent phase.

Nevertheless, this should not be an excuse for the incompetence of developers or a lack of due diligence of investors. While developers have it extremely difficult since they are essentially working in completely new environments all the time, they should be much more careful when it comes to security risks and issues.

Moreover, in this case, hiring a third-party consultancy or auditing firm would have easily saved millions of dollars. Thus, as a potential investor into any new NFT collection, always try to look whether there have been any audits or checks from third-party companies or security experts, since they can save everyone a lot of money, time and energy.

Conclusion

While it is difficult to find a positive in this specific situation, there might be a possible silver lining. The whole community around Aku, both the investors as well as the developers, will be much more careful next time any launch, collection, update or feature will be released. If this project is to succeed, it now needs to build its reputation up again, just like Micah Johnson mentioned, brick by brick.

Disclaimer:  BingX does not endorse and is not responsible for or liable for any content, accuracy, quality, advertising, products, or other materials on this page. Readers should do their own research before taking any actions related to the company. BingX is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods, or services mentioned in the article.