The contract that had vulnerabilities was deployed at 0xf42c318dbfbaab0eee040279c6a2588fa01a961d on Ethereum.
Introduction to Akutars
Akutars is an "avatar" NFT project consisting of 15,000 NFTs depicting a black boy wearing an astronaut hat, with many variations in costume, color, and background. That is the idea of Micah Johnson, a former American professional baseball player.
As planned, the Akutars opening event was conducted according to the Dutch Auction method, a descending auction. More specifically, buyers will send the amount of ETH representing the price at which they want to buy NFT to the Akutars smart contract. The project will then choose a reasonable price, and those who bid higher will be refunded.
On April 23, 2022, 11,539 ETH was permanently locked on the Aku Smart Contract because of two different exploits.
The first exploit
- The attacker’s address was 0x4C6731D49A8667fa5e853EF2F586e9C7F73c3d72 on Ethereum.
- The attacking contract’s address was deployed at 0x69108194071392772AF1c84181F7062AA81AEdd2 on Ethereum.
- The processRefunds()function had a vulnerability. The code is in the following image:
Contract calls are made to each address to repay everyone. However, what if the minter is a smart contract? By using the 'fallback' function. As a result, refunds could only be processed if the hacker wanted to.
The smart contract looked like this:
The hacker's transactions were carried out in this sequence, which turned out to be white-hat, and the funds were released.
But a new bug appeared.
The second exploit
The funds cannot be withdrawn unless the owners repay everyone. However, they cannot repay them since one function sums the number of bids while the other sums "1" instead of the amount. When values clash, funds are locked indefinitely.
Akutars, therefore, had to see the above money permanently locked on the blockchain. That means they did not receive any money from the NFT sales but still had an obligation to transfer the NFT to those who bought it successfully.
Many projects share Akutars' case as a warning to programming teams preparing to deploy their projects that they must review the smart contract code more carefully before deploying.
The only source of knowledge is experience. Therefore, by having thorough information on the different blockchain attack cases, readers as investors and developers could gain critical insights that help them avoid future risks.