TL:DR:Catastrophic mistakes in crypto are easy. one line of code cost $34m.
Exploit 1: processRefunds() able to get stuckExploit 2: bids count did not increment correctly with mint amountExploit 3: withdraw requires bids count to increment correctlyFinal Caveat: funds stuck forever.I would like to make some ending remarks but it’s hard to find the words.Devs, and Artists, run the NFT space. I would suggest to never skimp out of them.Good devs know and will demand their worth. Invest in audits. Invest in security.
I would never wish this upon anyone. It is truly gut wrenching and I am really sad to see this happen. – 0xInuarashi
What could have been done better with the Aku Drop:
does anyone know any connect to devs at @AkuDreams
this is an urgent matter regarding their drop.
— hasan (@notchefbob) April 22, 2022
AkuDreams did a 3.5e Dutch Auction today that refunded anyone who purchased above the final resting price…but their contract was poorly written and had is susceptible to a griefing exploit that would cause the minting funds in the contract to be locked
Hasan tried to tell them
— bender (@0xBender) April 22, 2022
- Enlist the help of third-party auditing firms to look for exploits in your smart contract before you release it.
- Set up a bug bounty program.
- Not brush off concerns from security researchers as unwarranted FUD.
34 Million USD gone. Just like that. Locked in the contract forever.
A lot of people put light on the grieving which locked processRefunds() for a bit, that was the first exploit.
Luckily that was unlocked, but funds are still locked forever. How?
— 0xInuarashi (@0xInuarashi) April 23, 2022