How an NFT creator lost $34 million due to a smart contract error
Due to a simple smart contract error during a new NFT launch, $34 million in ETH is locked away from both the creator and buyers, as of Friday.
On April 22, major league baseball player turned NFT artist Micah Johnson launched his much awaited Akutars, a collection of unique 3D avatars based on his popular Aku NFT series. Johnson’s popular NFT character Aku—a young Black boy with dreams of being an astronaut who wears an oversized space helmet—has gotten the celebrity support of Pusha T, Tyra Banks, Trevor Noah and more, and has generated over $19 million in sales.
Minutes after the NFT launch, Hasan Gondal, a software engineer and the founder of the software company Freight Labs, warned of an issue with the smart contract. But Gondal confirmed shortly after that Aku team software developers told him he was “wrong” and that the code was operational.
“A smart contract transforms the legal language we use to do business into code, then bakes this onto a blockchain, becoming immutable,” Konstantin Richter, CEO of Blockdaemon, a blockchain infrastructure company, told Fortune.
While smart contracts aren’t exclusive to NFT projects and exist on the Ethereum blockchain—which is a public and decentralized record of cryptocurrency transactions—they are an essential aspect of NFT sales functioning smoothly.
Smart contract flaws increase a crypto or NFT project’s attack vector, in Richter’s opinion, because they live on public blockchains and the flaws can be exploited by bad actors. And the consequences of these flaws can be massive—from lost money to entire crypto communities dissolving.
The first incident
“Micah and the developers were on a call with me and they said ‘we have some sort of safeguards in place,’” Gondal told Fortune. “It was such a big mint and I knew a tweet like mine could affect whether or not they sell out, for example. I didn’t want to cause any trouble for them. So I said ‘yeah it looks fine.’ And then maybe a half hour later, someone had exploited the issue.”
Unfortunately, the smart contract did have vulnerabilities, which an anonymous user named USER221 then exploited, halting both Ethereum withdrawals and refunds, according to a thread by Ethereum developer 0xInuarashi.
USER 221 urged the Aku team to “please do bug bounty on your contracts or have them audited at least,” as reported by Decrypt. And after having a bit of “fun” the user announced they would not exploit the vulnerability if the Aku team publicly acknowledged that the flaw existed, citing Decrypt.