AkuDreams Griefed: Careless Code Leads To $45 Million Locked

Refundable auctions are a hot topic today on Twitter. There was the wildly successful Anata NFT drop… and then there was the AkuDreams auction. The auction required users to transfer funds with their bid, and allowed them to claim a refund afterwards if the Dutch auction price dropped below their bid. However, a bug in the refund logic allowed AkuDreams to be griefed.

Griefing attacks are different from traditional exploits, as the hacker does not actually profit from them. However, the users and the protocol still suffer. The griefer used a bug in the refund logic to lock the contract in a halfway state. 15,490 ETH ($45 million USD) was left in limbo, with users unable to process refunds, and the team unable to emergency withdraw funds.

Most of the time in an exploit, the damage is done. In this particular case, there was a happy ending – or so everyone thought. The locking was not permanent. It was reversible -but only by the exploiter. An exploiter who was happy to unlock the funds, but only after sufficiently dragging the team via Etherscan transaction messages, and requiring them to admit they screwed up.

The initial shot across the bow to the dev team:

The Can Devs Do Something??? copypasta:

A meme linked by the hacker:

Anakin Padme 4 Panel |  FUNDS ARE LOCKED; But the refunds will go out right? BUT THE REFUNDS? | image tagged in anakin padme 4 panel | made w/ Imgflip meme maker

And the final happy ending (pt. 1, pt. 2)

The attacker kept his or her word, and some refunds were processed on the AkuDreams contract. Now, it was a race. The contract was still vulnerable as an actually-malicious hacker could use the same exploit and lock the funds for good.

Tragically, that’s not where the story ends.

As a result of some other poor code, the contract is now stuck for a different reason. This excellent thread explains why for the technical readers.

As a TL;DR for nontechnical readers, the developers did not do their accounting correctly, and the wrong number of bids were tracked. Now the function to withdraw funds can never be activated. This is independent of the initial locking of the contract by the gray hat.

The tragic end: 11,539.5 Ether worth over $34 million USD at time of writing is now stuck, forever, in this contract.

This is a brutal incident. This issue should have been caught. There’s really no excuse. As a user, please only invest in NFTs with serious founders who treat security with the gravity it deserves. Stay safe out there, anon.

For those interested in additional technical details of the griefing attack, twitter user hasan (@notchefbob), who initially called the team out on the error, posted a proof-of-concept exploit to Github.

Photo of author

Written By BowTiedPickle

Anonymous cartoon pickle inspired by BowTiedBull. Degen chemical engineer, moonlighting as a Solidity developer.

Disclosure

This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.


The Jungle


Crypto, Investing, and E-Commerce with BowTied Bull

The future is internet based, therefore we have a triangle based approach with crypto, e-commerce business making and Investing in traditional assets

Break Into a 6-Figure Wall Street Career

Learn how to efficiently break into investment banking and private equity. The Banker’s Bible is a definitive resource that offers an   A-Z blueprint and also gives you 24/7 access to real finance professionals. 

Fitness With BowTiedOx

BowTiedOx provides you a place to find all of his latest programs and guides.

Weekly newsletters that cover fitness, health, and mindset, all grounded in the fundamentals of physiology.

Media Production with BowTied Turkey and BowTied Tamarin

Video is no longer optional.

Don’t get left behind.

Your brand deserves professional videos to engage your audience.

Art & Graphic Design with BowTied Patriot

BowTied Patriot is a graphic artist who specializes in photography, mixed medium custom artwork, and NFT creation.

Join BowTiedPatriot as he dives into making Art in Web3.0 and The Metaverse.

Cooking with BowTiedOctopod

Learn secrets from a fine dining chef for maximum flavor and time-saving efficiency

Newsletters on Ingredients, Techniques and Flavor hacks that will have you eating better. We will never eat bugs!

Meme Warfare with DgenFren

Increase your online engagement, organically influence narratives, and build your online persona by using marketing that your target audience actually wants: memes.

Learn How to Sell with BowTiedSalesGuy

Sales is one of the most transferrable life skills, yet few know how to actually sell.

Traditional sales tactics don’t cut it in today’s hyper competitive world.

Learn the secrets from a Chad Salesman and change your Life forever.

Ecommerce with BowTiedOpossum

Learn the skills to start and build your first online business.

Want to build a business that travels with you?

Learn from an industry veteran that has worked on and with brands you already know.