Refundable auctions are a hot topic today on Twitter. There was the wildly successful Anata NFT drop… and then there was the AkuDreams auction. The auction required users to transfer funds with their bid, and allowed them to claim a refund afterwards if the Dutch auction price dropped below their bid. However, a bug in the refund logic allowed AkuDreams to be griefed.
Griefing attacks are different from traditional exploits, as the hacker does not actually profit from them. However, the users and the protocol still suffer. The griefer used a bug in the refund logic to lock the contract in a halfway state. 15,490 ETH ($45 million USD) was left in limbo, with users unable to process refunds, and the team unable to emergency withdraw funds.
Most of the time in an exploit, the damage is done. In this particular case, there was a happy ending – or so everyone thought. The locking was not permanent. It was reversible -but only by the exploiter. An exploiter who was happy to unlock the funds, but only after sufficiently dragging the team via Etherscan transaction messages, and requiring them to admit they screwed up.
The initial shot across the bow to the dev team:
The Can Devs Do Something??? copypasta:
A meme linked by the hacker:
The attacker kept his or her word, and some refunds were processed on the AkuDreams contract. Now, it was a race. The contract was still vulnerable as an actually-malicious hacker could use the same exploit and lock the funds for good.
Tragically, that’s not where the story ends.
As a result of some other poor code, the contract is now stuck for a different reason. This excellent thread explains why for the technical readers.
As a TL;DR for nontechnical readers, the developers did not do their accounting correctly, and the wrong number of bids were tracked. Now the function to withdraw funds can never be activated. This is independent of the initial locking of the contract by the gray hat.
The tragic end: 11,539.5 Ether worth over $34 million USD at time of writing is now stuck, forever, in this contract.
This is a brutal incident. This issue should have been caught. There’s really no excuse. As a user, please only invest in NFTs with serious founders who treat security with the gravity it deserves. Stay safe out there, anon.
For those interested in additional technical details of the griefing attack, twitter user hasan (@notchefbob), who initially called the team out on the error, posted a proof-of-concept exploit to Github.