Akropolis token sale contract vulnerability allows for massive amount of Ethereum to be unrecoverable
The NFT project Akutars conducted a Dutch auction public sale on the 23rd with a refundable mechanism. Due to a contract vulnerability, malicious actors have exploited the refund function, locking up a significant amount of funds within the contract, making refunds currently inaccessible.
Table of Contents
Akutars' Refundable Dutch Auctions and Discount Pass
A Dutch auction is a method where the price starts high and gradually decreases based on time conditions. The NFT project Akutars has set up rules for its auction here, starting at 3.5 ETH and decreasing by 0.1 ETH every six minutes. The final lowest bid at the end of the auction will serve as the unified price, and all bidders who bid above the lowest bid can receive a refund of the difference. For example, if the final lowest bid is 3, a bidder who bid 3.5 can receive a refund of 0.5.
In addition, Akutars is also a recent user of Pass NFT minting certificates. Those with an Akutars Pass can receive a discount of 0.5 ETH on the final price, meaning whatever the final bid amount is, you will receive an additional 0.5 ETH refund. Note: The Pass has already undergone a snapshot, as mentioned in the official announcement, buying now will no longer grant you Akutars NFT.
While this setup seems considerate, there have been issues with the refundable contract.
Refund Mechanism Attacked, Refunds Stuck
According to developer @0xBender's statement, the team ignored the warning from the first person to discover the vulnerability, @notchefbob, leading to a dilemma. Someone maliciously attacked the minting setup, causing a large sum of funds to be stuck in AkuDreams' smart contract, which neither the team nor participants can access for refunds. The attacker left a message in the malicious transaction notes saying, "I'm the boss."
Akutars stated that they believe the attack on the contract was not malicious, but rather an attempt to draw attention. After the team began investigating, the attacker had already ceased exploiting the vulnerability. However, the 0.5 ETH for the Akutar Pass has yet to be distributed, with some refunds already issued but the remaining funds locked in the contract, inaccessible to the team.
Akutars acknowledged the official mistake and mentioned they are currently discussing the next steps, with NFTs still set to be minted and distributed. They are also working on resolving the refunds for Akutar Pass holders who did not receive them.
For further analysis on the attack on this vulnerability, you can refer to:
Taiwanese developer @DegenBing's post.
Related
- Will the Magic Eden Wallet issue the ME token, can Diamonds be cashed out in the end?
- Selfie King Ghozali from Indonesia makes a comeback, releasing the second edition NFT project "Ghozali 404"
- US Patent and Trademark Office NFT Intellectual Property Report: Existing laws are sufficient to regulate NFTs, no need for new legislation