E5 - Moon Gods Permanently Sacrifice 11K ETH - 5/2/2022
Download MP3In this week’s episode, we take a look at the brutal AkuTars auction bugs that permanently sacrificed 11,539 ETH to Ether 🔥_🔥
I, Degen - E5: Akutars NFT Auction Misfire Locks 11K ETH - 4/30/2022
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, scams, exploits, and anything that feeds our crypto curiosity.
Welcome degens! Come one, come all.
Episode Summary
In this week’s episode, we take a look at the brutal AkuTars auction bugs that permanently sacrificed 11,539 ETH to the burn 🔥_🔥
5/2 - UPDATE - We recorded this on 4/28 and since have come across some new info related to how the Aku team is working with the community to set things right. The community seems to be aligned and supports AkuDreams on the plan.
I,Degen - Weekly
- SilkRoads stolen BTC, recovered by US Gov and used to cover Ross Ulbricht’s debt - Beincrypto
- From the block New York Lawmakers want to make rug pulling a crime
- ERC712R introduces refundable NFTs to help reduce scams, criticism comes fast. Nice discussion on Markets Daily podcast
- BAYC holders targeted again. This time hackers owned BAYC’s Insta page, posted a scam claim for BAYC owners were entitled to an airdrop for virtual land. Instead, the link lifted ape and mutant apes, and other NFTS is the victims wallet. From the Defiant - “The hacker stole 91 NFTs in total, including four Bored Apes, and seven Mutant Apes. Just those 11 NFTs are worth $2.6M going by current floor and ETH prices as of Apr. 25.”"
- OG Zcash trusted ceremony anon John Dobbertin turns out to be Edward Snowden. From Zcash Media
- From Coindesk Panama Legislature Passes Bill Regulating Crypto. Aimed and bringing crypto projects to Panama and other important things.
- Massive 15.3 million request-per-second (RPS) volumetric https DDoS attack targets undisclosed crypto launchpad. The attack only lasted 15 seconds but notable for it’s size and use of HTTPS. From HackerNews
- Another from Coindesk Ethereum Name Service overtakes Bored Ape Yacht Club in daily trading volume in rush for short digit addresses. Race to grab first 10k numeric ENS addys partly to blame.
I, Degen - Deep Dive
Moment of Slience - $34 million, or 11,539 eth, is permanently locked into the AkuDreams contract forever.
What is Aku?
Aku is a character created by former MLB player turned artist, Micah Johnson, after hearing a young boy ask, “Can astronauts be black?”Aku was released to the world on Feb 21, 2021 as an NFT in the form of an animated video
Ten chapters in total, with each chapter in it’s own style.
Next, comes the Akutars…new drop, 4/22/22.
What are the Akutars:
Akutars are a collection of 15,000 unique, 3D Aku avatars with partnerships from; Puma, Planes, Vandal, Who Decides War, BBC and, Ice Cream. Each Akutar grants you entry into the ever-expanding Akuverse, where lines are blurred between the digital and physical worlds and owners gain exclusive access to culture-defining experiences, products, and collaborations.
– Akutars on OpenSeaSo this drop was dutch auction with a unique feature that allowed the lowest bid to set the price for all minters. – Tweet
Then, when the auction ends, any bid higher than the lowest bid will receive a refund of the lowest bid, minus gas fees.
This is an interesting and cool mechanism. However, there was some faulty logic in the contract.
First issue: If you bid on the auction from a contract, and that contract didn’t have a fallback function to handle incoming ETH, then the refund loop would fail. This was exploited, however, the attacker was kind enough to build a switch into their contract that would bypass the failure and allow the refund loop to continue.
There is some mention that this bug was pointed out to the AkuDreams team ahead of time and they ignored it. I wasn’t able to verify that.
Next Issue: Bigger issue. The contract was designed to keep track of the bids, and addresses that made those bids. A simple ++ was used to increment the counter. However, this counter didn’t account for cases where a single address bid on more than one Akutar. AKA, multi-mint in a single transaction. This left the total bid count short. There were 5495 total Auktars to be auctioned, but bid counter only made it to 3669.
During the refund loop, there is a check to confirm:
# this will fail because of the bid counter issue
require(_refundProgress < _bidIndex)
require(_refundProgress < _bidIndex)
and then, in the claimProjectFunds function:
# This too will fail
require(refundProgress >= totalBids)
# This too will fail
require(refundProgress >= totalBids)
Sooo… 11k ETH is permanently stuck.
What’s strange:
- AkuDreams Twitter appears unfazed.
- not audited?
- not tested?
- lots of questionable info floating around on twitter (not strange I guess)
links:
- Aku, The Moon God, and the new age of Web3 Media
- https://www.instagram.com/aku.dreams
- Nice twitter write up from 0xInuarashi
- Akutars Auction Contract
I, Degen - Freestyle Convo
Musk buys Twitter
[[[Outro]]]
We do our best to report accurately on the topics we discuss but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!
https://hackmd.io/@idegen/I-Degen-E5-Akutars-NFT-Auction-Misfire
Show Image right click saved from: https://opensea.io/assets/0xaad35c2dadbe77f97301617d82e661776c891fa9/5