An NFT project called AkuDream’s highly awaited launch was marred by a Griefing Exploit in which a bug in the project’s smart contract code caused it to mistakenly lock away funds worth $34 million rendering the team unable to access the funds. This is how it unfolded.
The platform’s avatar collection went live with a Dutch Auction Friday. The auction opened at 3.5 Ethereum on the basis that the lowest bid would set the final price, and anyone placing a higher bid would receive a refund. AkuDreams pass holders were also promised a 0.5 Ethereum discount on each NFT they minted.
However, the party was cut short when an ongoing exploit was brought to its notice, where attempts were made to freeze refunds.
As per a tweet sent out by a crypto developer, Foobar who posted coding showing that “$34 million, or 11,539 eths, is permanently locked into the AkuDreams contract forever. It cannot be retrieved by individual users or by the dev team.”
The team behind the project noted the exploit and said: “We are locked down and consulting with some of the best on the next steps. We will mint your NFTs, and reveal them as soon as humanly possible. We will also be working to issue funds for those pass holders who bid with the intention of securing a price.5 ETH below the final price.”
The bug in the smart contract enabled the attacker to block refunds and withdrawals from the contract, meaning auction participants who bid above the final NFT price could not receive the Ethereum they were owed. Due to this, both refunds and withdrawals from the contract could not be processed.
The NFT project’s Twitter handle said the exploit “was not done out of malice”
The AkuDreams team acknowledged the issue saying that the exploit “was not done out of malice” and that it was investigating the incident. “To be clear this is our fault,” the announcement read after the team promised it would return the lost funds to the community.
It later confirmed that the NFTs would be airdropped to bidders, and it would pay refunds for the pass holders who are owed a 0.5 Ethereum discount.
That said, Griefing attacks are distinct from traditional exploits, as the hacker does not actually profit from them. However, the users and the protocol still suffer.