AkuDreams Griefed: Careless Code Leads To $45 Million Locked

Refundable auctions are a hot topic today on Twitter. There was the wildly successful Anata NFT drop… and then there was the AkuDreams auction. The auction required users to transfer funds with their bid, and allowed them to claim a refund afterwards if the Dutch auction price dropped below their bid. However, a bug in the refund logic allowed AkuDreams to be griefed.

Griefing attacks are different from traditional exploits, as the hacker does not actually profit from them. However, the users and the protocol still suffer. The griefer used a bug in the refund logic to lock the contract in a halfway state. 15,490 ETH ($45 million USD) was left in limbo, with users unable to process refunds, and the team unable to emergency withdraw funds.

AkuDreams did a 3.5e Dutch Auction today that refunded anyone who purchased above the final resting price…but their contract was poorly written and had is susceptible to a griefing exploit that would cause the minting funds in the contract to be locked

Hasan tried to tell them
— bender (@0xBender) April 22, 2022

Most of the time in an exploit, the damage is done. In this particular case, there was a happy ending – or so everyone thought. The locking was not permanent. It was reversible -but only by the exploiter. An exploiter who was happy to unlock the funds, but only after sufficiently dragging the team via Etherscan transaction messages, and requiring them to admit they screwed up.

The initial shot across the bow to the dev team:

The Can Devs Do Something??? copypasta:

A meme linked by the hacker:

Anakin Padme 4 Panel | FUNDS ARE LOCKED; But the refunds will go out right? BUT THE REFUNDS? | image tagged in anakin padme 4 panel | made w/ Imgflip meme maker

And the final happy ending (pt. 1, pt. 2)

The attacker kept his or her word, and some refunds were processed on the AkuDreams contract. Now, it was a race. The contract was still vulnerable as an actually-malicious hacker could use the same exploit and lock the funds for good.

Tragically, that’s not where the story ends.

As a result of some other poor code, the contract is now stuck for a different reason. This excellent thread explains why for the technical readers.

12/ Process Refunds started working again and people were getting their ETH back. However, there was a second exploit in the code.

Refunds work. Emergency withdrawals work.https://t.co/OjgrkuSDJt

However, the team will never be able to withdraw their ETH. Ever. pic.twitter.com/FaD1k3nSuz
— 0xInuarashi (@0xInuarashi) April 23, 2022

As a TL;DR for nontechnical readers, the developers did not do their accounting correctly, and the wrong number of bids were tracked. Now the function to withdraw funds can never be activated. This is independent of the initial locking of the contract by the gray hat.

The tragic end: 11,539.5 Ether worth over $34 million USD at time of writing is now stuck, forever, in this contract.

19/ However, if you take a look at the value of totalBids…

It is 5495.

3669 will never be higher than 5495, which means this function is stuck. Forever. pic.twitter.com/Gtz7DGHbbc
— 0xInuarashi (@0xInuarashi) April 23, 2022

This is a brutal incident. This issue should have been caught. There’s really no excuse. As a user, please only invest in NFTs with serious founders who treat security with the gravity it deserves. Stay safe out there, anon.

For those interested in additional technical details of the griefing attack, twitter user hasan (@notchefbob), who initially called the team out on the error, posted a proof-of-concept exploit to Github.

people think i did this for the fud, the clout

there was a gas griefing vulnerability in the contract, not sure if anyone exploited but i have posted a PoC since its over now.https://t.co/6GxvvGb59z
— hasan (@notchefbob) April 22, 2022

This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.