TL:DR:Catastrophic mistakes in crypto are easy. one line of code cost $34m.
Exploit 1: processRefunds() able to get stuckExploit 2: bids count did not increment correctly with mint amountExploit 3: withdraw requires bids count to increment correctlyFinal Caveat: funds stuck forever.I would like to make some ending remarks but it’s hard to find the words.Devs, and Artists, run the NFT space. I would suggest to never skimp out of them.Good devs know and will demand their worth. Invest in audits. Invest in security.
What could have been done better with the Aku Drop:
AkuDreams did a 3.5e Dutch Auction today that refunded anyone who purchased above the final resting price…but their contract was poorly written and had is susceptible to a griefing exploit that would cause the minting funds in the contract to be locked
Hasan tried to tell them
— bender (@0xBender) April 22, 2022
- Enlist the help of third-party auditing firms to look for exploits in your smart contract before you release it.
- Set up a bug bounty program.
- Not brush off concerns from security researchers as unwarranted FUD.
34 Million USD gone. Just like that. Locked in the contract forever.
A lot of people put light on the grieving which locked processRefunds() for a bit, that was the first exploit.
Luckily that was unlocked, but funds are still locked forever. How?
— 0xInuarashi (@0xInuarashi) April 23, 2022