Aku Ethereum NFT Launch Ends With $34M Locked in Flawed Smart Contract

Mistakes in the code for the prominent project launch mean that $34M worth of ETH is apparently inaccessible.

By Andrew Hayward

4 min read

A hotly anticipated Ethereum NFT launch on Friday went seriously awry when apparent flaws in the project’s underlying code (or smart contract) locked away $34 million worth of ETH, which now apparently can't be accessed by the creators or NFT buyers.

The launch was for Akutars, a 3D avatar project and the latest release based on Aku, an original character created by former Major League Baseball player Micah Johnson. The character is a young Black boy who dreams of becoming an astronaut, as inspired by a real-life question posed by Johnson’s nephew.

The Akutars project spans 15,000 Ethereum avatars with randomized traits, with owners of earlier Aku NFTs granted a free avatar for each piece they held. The remaining 5,500 avatar NFTs launched on Friday via a Dutch Auction format starting at 3.5 ETH (about $10,350 at the time), with the price gradually decreasing.

Once the launch started, however, a Twitter user named Hasan warned of an issue with the smart contract—and wrote that he was told by Aku’s developers that he was “wrong” and was assured that there were failsafes in place to prevent the issue.

However, someone going by the name USER221 then triggered the suspected exploit, which apparently halted both Ethereum withdrawals and refunds from the contract, according to a thread by Ethereum developer 0xInuarashi.

Alongside the exploit came a note urging the developers to “please do bug bounty on your contracts or have them audited at least.” USER221 then sent a separate note attached to an Ethereum transaction, writing that they would effectively unlock the project.

“Well, this was fun, had no intention of actually exploiting this lol,” they wrote. “Otherwise I wouldn't have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”

The project started working again, but then another, separate bug popped up. As 0xInuarashi’s thread describes, a flaw in the Aku developers’ smart contract code failed to account for multiple NFT mints within the same transaction, and the contract requires the numbers to line up properly to enable withdrawals of any kind.

Ultimately, the end result is that 11,539 ETH—worth about $34 million as of Friday—is locked within the automated smart contract, which appears to be permanently stuck. Aku’s creators won't be able to withdraw any funds from the sale, and NFT owners who held an Akutar Mint Pass NFT can't receive their promised 0.5 ETH refunds from it.

Aku’s next steps

In a postmortem Twitter thread on Friday night, the Aku team wrote that the aforementioned exploiter (USER221) was only trying to help diagnose a buggy smart contract.

“The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics,” the project tweeted. “They unblocked the exploit quickly after we dug in and took ownership.”

Johnson also apologized on Twitter for pushback to developers who first recognized the problems in the smart contract code. “I completely own up to that,” he wrote. “I'm unfortunately not a developer and spoke prematurely about what I understood wasn’t a problem but ended up being. I’m really really sorry.”

Aku’s creators will issue the 0.5 ETH refunds to Akutar Pass Holders via funds pulled from the separate treasury of previous Aku NFT sales. Meanwhile, the Akutars NFTs will be airdropped to buyers via a new, separate smart contract, which has already had its code released to the public for vetting and features assistance from the creators of the Anonymice NFT project.

“The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku,” Johnson tweeted, “[and] most everything will go back to refunds and we will keep building what we set out to do. Brick by brick.”

The first Aku NFTs launched on Nifty Gateway in February 2021 and ultimately spanned 10 initial chapters, telling the story of the imaginative boy with a space helmet. The artwork for one Aku NFT drop was actually beamed to a server on the International Space Station last summer before being minted on the Ethereum blockchain. All proceeds from that drop benefitted an educational nonprofit.

The NFT-driven IP has also been optioned for film and TV adaptations, plus Aku was tapped for a live Aku World event in Miami last December during Art Basel.

Get crypto news straight to your inbox--

sign up for the Decrypt Daily below. (It’s free).

Recommended News