May 2 2022
E5 - Moon Gods Permanently Sacrifice 11K ETH - 5/2/2022
I, Degen - E5: Akutars NFT Auction Misfire Locks 11K ETH - 4/30/2022Listen at: idegen.fmContact us: @idegenfmIntroWelcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, scams, exploits, and anything that feeds our crypto curiosity.Welcome degens! Come one, come all.Episode SummaryIn this week’s episode, we take a look at the brutal AkuTars auction bugs that permanently sacrificed 11,539 ETH to the burn 🔥_🔥 5/2 - UPDATE - We recorded this on 4/28 and since have come across some new info related to how the Aku team is working with the community to set things right. The community seems to be aligned and supports AkuDreams on the plan. I,Degen - WeeklySilkRoads stolen BTC, recovered by US Gov and used to cover Ross Ulbricht’s debt - BeincryptoFrom the block New York Lawmakers want to make rug pulling a crimeERC712R introduces refundable NFTs to help reduce scams, criticism comes fast. Nice discussion on Markets Daily podcastBAYC holders targeted again. This time hackers owned BAYC’s Insta page, posted a scam claim for BAYC owners were entitled to an airdrop for virtual land. Instead, the link lifted ape and mutant apes, and other NFTS is the victims wallet. From the Defiant - “The hacker stole 91 NFTs in total, including four Bored Apes, and seven Mutant Apes. Just those 11 NFTs are worth $2.6M going by current floor and ETH prices as of Apr. 25.”"OG Zcash trusted ceremony anon John Dobbertin turns out to be Edward Snowden. From Zcash MediaFrom Coindesk Panama Legislature Passes Bill Regulating Crypto. Aimed and bringing crypto projects to Panama and other important things.Massive 15.3 million request-per-second (RPS) volumetric https DDoS attack targets undisclosed crypto launchpad. The attack only lasted 15 seconds but notable for it’s size and use of HTTPS. From HackerNewsAnother from Coindesk Ethereum Name Service overtakes Bored Ape Yacht Club in daily trading volume in rush for short digit addresses. Race to grab first 10k numeric ENS addys partly to blame.I, Degen - Deep DiveMoment of Slience - $34 million, or 11,539 eth, is permanently locked into the AkuDreams contract forever.What is Aku?Aku is a character created by former MLB player turned artist, Micah Johnson, after hearing a young boy ask, “Can astronauts be black?”Aku was released to the world on Feb 21, 2021 as an NFT in the form of an animated video– Aku.wolrdTen chapters in total, with each chapter in it’s own style.Next, comes the Akutars…new drop, 4/22/22.What are the Akutars:Akutars are a collection of 15,000 unique, 3D Aku avatars with partnerships from; Puma, Planes, Vandal, Who Decides War, BBC and, Ice Cream. Each Akutar grants you entry into the ever-expanding Akuverse, where lines are blurred between the digital and physical worlds and owners gain exclusive access to culture-defining experiences, products, and collaborations.– Akutars on OpenSeaSo this drop was dutch auction with a unique feature that allowed the lowest bid to set the price for all minters. – TweetThen, when the auction ends, any bid higher than the lowest bid will receive a refund of the lowest bid, minus gas fees.This is an interesting and cool mechanism. However, there was some faulty logic in the contract.First issue: If you bid on the auction from a contract, and that contract didn’t have a fallback function to handle incoming ETH, then the refund loop would fail. This was exploited, however, the attacker was kind enough to build a switch into their contract that would bypass the failure and allow the refund loop to continue.malicious bidder contract's messageThere is some mention that this bug was pointed out to the AkuDreams team ahead of time and they ignored it. I wasn’t able to verify that.Next Issue: Bigger issue. The contract was designed to keep track of the bids, and addresses that made those bids. A simple ++ was used to increment the counter. However, this counter didn’t account for cases where a single address bid on more than one Akutar. AKA, multi-mint in a single transaction. This left the total bid count short. There were 5495 total Auktars to be auctioned, but bid counter only made it to 3669.During the refund loop, there is a check to confirm:# this will fail because of the bid counter issuerequire(_refundProgress and then, in the claimProjectFunds function:# This too will failrequire(refundProgress >= totalBids)Sooo… 11k ETH is permanently stuck.What’s strange:AkuDreams Twitter appears unfazed.not audited?not tested?lots of questionable info floating around on twitter (not strange I guess)links:Aku, The Moon God, and the new age of Web3 Mediahttps://www.instagram.com/aku.dreamsNice twitter write up from 0xInuarashiAkutars Auction ContractI, Degen - Freestyle ConvoMusk buys Twitter [[[Outro]]]We do our best to report accurately on the topics we discuss but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!
