How One Line of Code Caused $34 Million in ETH Losses

avatar

AkuDreams raised $34 million worth of ETH but it's locked in a smart contract forever....

image.png

image.png

AkuDream turns to AkuNightmare

AkuDream is an NFT project created by former baseball star Micah Johnson that has been very successful. It was launched in 2021 and one of the 10 "chapters" of the collection have a floor price of $85,000. The most recent drop was done in a Dutch auction fashion where the lowest bid would set the final price of the NFT and higher bids would be refunded the difference. Sounds pretty straight forward, right?

Well when you have amateurs writing code, you are subject to logic failures within the code. What this means is that something as simple as the order the lines of code are written in can drastically change the way the contract works. I'm no professional developer but I do have a basic understanding of Solidity for smart contracts. I've dealt with this kind of thing first hand. Unfortunately, they didn't bother to have the code audited or tested... Let's look at the code, courtesy of 0xInuarashi on Twitter.

image.png

What we're looking at here is the piece of code that allows refunds to happen. Going from top to bottom, first, it checks to see if the auction has concluded by checking the current block vs. the last block for the end time. If the expiration block has passed, the refunds are processed. Then it looks up the data stored from bids and uses that to determine if the wallets are eligible. Makes sense.

The critical point of failure here is that this only pulls data from the UI where bids were collected. If someone called the smart contract directly, which anyone can do by finding the contract via a block explorer, the data would not be able to be checked. Calling the contract externally basically breaks it because it is not allowed to process refunds unless it can pull bid data.

Because this function works in a loop, causing it to fail literally freezes refunds. How crazy is that? Are you completely lost at this point? Are you bored? Probably. There's over 11,000 ETH locked in this NFT project's smart contract because of amateur coding.

image.png

Basically someone exploited this piece of code and caused refunds to be frozen and no one is receiving funds from the contract. What's really mind blowing is this next piece of code that allows the team to claim funds from the project. Conveniently the function is named claimProjectFunds(). Here's what it looks like.

image.png

This code looks like it will work flawlessly and will allow the owner of the contract (the team) to withdraw funds raised after refunds are processed. Did you catch what I said? After refunds are processed. I got bad news, dawg. No refunds are being processed because someone broke the smart contract with a malicious bid from an external smart contract call.

That means that the function shown that allows the team to withdraw funds is also broken. Yes, this means that not only do bidders not receive refunds from the contract... But the team also can't touch the funds they raised from the sale of the NFTs. Holyshit.gif

image.png

What's really crazy is that the exploiter undid the exploit which allowed refunds to start processing again. That's all fine and dandy but take a look at the code for the claimProjectFunds() function again and you'll quickly realize that there's another issue here. The refunds are processing again, but the code logic for this function requires the number of refunds processed to be greater than or equal to the number of total bids.

image.png

That can't be possible because refunds were frozen and tons of them failed. Big oof. Some bidders are being refunded but the team will never be able to access this $34 million. Ouch! This is a very expensive lesson for anyone running a crypto or NFT project. Get your code audited. Get your code tested. Hire experienced developers.

Getting your contracts audited is no fool proof way to make sure your project will execute properly. But it is a damn good way to make sure that the code logic at least makes sense and can be tested. How they can be dealing with this large of an amount of money and not get the absolute best devs out there plus multiple audits is beyond me... But I guess that's why I'm not a millionaire.

I say it time and time again that the crypto and NFT space is the wild west. We have to constantly watch our own backs, we have to do our own research, and we have to take our security seriously. This goes for both the consumer and the creator. Don't subject yourself to substantial losses like this to save a few dollars skipping an audit. That's just reckless.

RIP to the 11,539.5 ETH locked in the AkuDreams smart contract forever. Pouring one out for them bois.

image.png

Thanks for reading! Much love.


Links 'n Shit

Play to Earn Read emails, Earn Crypto Get free crypto every day Get a WAX wallet
Gods Unchained ListNerds PipeFlare WAX.io
Splinterlands GoodDollar
Rising Star FoldApp

image.png

image.png

Posted Using LeoFinance Beta



0
0
0.000
1 comments
avatar

Congratulations @l337m45732! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s):

You distributed more than 29000 upvotes.
Your next target is to reach 30000 upvotes.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Check out the last post from @hivebuzz:

Hive Power Up Month - Feedback from April day 21
0
0
0.000