Aku’s Nightmare: $34M Locked Forever as Flaw Highlights Danger of Smart Contracts

Aku Dreams, smart contract, NFT, locked

The thing about middlemen is that they can correct mistakes.

Virtually all of blockchain and crypto, from Bitcoin on, is cutting them out for reasons that range from cost and speed to privacy.

However, as a poorly worded smart contract in a high-profile non-fungible token (NFT) launch showed over the weekend, the ability to lock funds into an agreement that will only pay out if certain conditions are met can have expensive consequences.

Read more: PYMNTS DeFi Series: What Is a Smart Contract?

In the case of the high-profile Aku Dreams project, created by former baseball player Micah Johnson, a series of coding errors turned into a $34 million disaster, locking 11,539 ether into a smart contract that cannot pay out.

Johnson is now an artist who works in NFTs. His 10-chapter NFT story of Aku, a young black man who dreams of becoming an astronaut, caught the public’s eye, receiving endorsements and even a Hollywood deal for film and TV rights with Shawn Mendes and Anonymous Content, producers of the Oscar-winning film “The Revenant” and television’s “Schitt’s Creek.”

It also has strong metaverse ties. The “Akutar” avatars that are part of the Akuverse — a fictional world, rather than a “real” virtual world — have gained endorsements from streetwear brands such as singer Pharrell William’s Ice Cream, which also created fashion designs for the Akutars.

Far-Reaching Consequences

A lot of the attention paid to smart contracts’ flaws has been focused on instances where they were exploited by hackers to steal decentralized finance (DeFi) projects’ funds, such as the Feb. 2 Wormhole exploit, which drained $320 million from another cross-chain bridge.

But Aku Dreams’ problems cannot be totally attributed to hackers. The part of the smart contract that caused the problem was not exploited directly, and thus gives a better argument for proponents who say that smart contracts should not be made unchangeable.

See also: EU Data Law Proposal Could Radically Change Blockchain Smart Contracts

This may have big legal consequences for the entire NFT and DeFi space, as the proposed Data Act going through European Parliament could require all smart contracts to have an escape clause. However, many in the industry say that would eliminate the main benefit of smart contract — that it can be trusted without a middleman because it is unchangeable.

But as cryptocurrencies evolved past simple currency replacements with the advent of Ethereum’s self-executing smart contracts — which power everything from supply chain management blockchains to DeFi’s human-free exchanges and lending platforms — it’s become very clear that smart contracts sometimes aren’t.

In part this is due to human error, but other factors come into play, including a huge talent deficit in the cryptocurrency space that has crypto projects, banks, corporations and many, many other organizations fighting for developers and engineers. This has made it difficult to have enough eyes on each project and to have smart contracts reviewed for accuracy.

Read more: Crypto Talent War Refocuses on Lawyers as Investment Booms, Regulations Loom

“It’s no longer just crypto firms chasing developers,” financial job site eFinancialCareers wrote in a Feb. 11 blog. “As investment banks build out their own decentralized finance offerings, they too are in the market for expertise in the coding languages that crypto firms love … As banks push into the market too, talent shortages are only likely to get worse.”

Aku’s Nightmare

In all, the NFT sales for Aku Dreams have passed $60 million, so losses will be covered. This last round was held in Dutch auction format, in which the lowest winning bid would be the price paid by all bidders for the 15,000 NFTs of Aku in various outfits. The format of the NFTs was similar in that regard to avatar projects like Bored Ape Yacht Club and CryptoPunks, which can sell for six and seven figures.

What happened is a series of errors in the code were triggered by what was intended to be a “white hat” exploit. After being warned of — and ignoring — a flaw in the smart contract minting the NFTs, a hacker set off the exploit with a so-called “griefing contract,” locking the funds (but not stealing them) by halting both the ether withdrawals and refunds.

The hacker was following a not-uncommon white hat format of stealing funds, publicly rubbing the developers’ faces in their error and returning the funds. That’s what happened in last year’s August 2021 hack, in which $612 million was stolen from the cross-chain bridge protocol — which allows people to make transactions on different blockchains in different cryptocurrencies — and returned over the course of several weeks.

Related: PYMNTS Crypto Crime Series: The $612 Million Heist That Wasn’t

Unfortunately, that’s where the Aku Dreams developer team’s problems truly began. While the griefer released the funds, the Aku Dreams team explained on Twitter that another flaw in the smart contract revealed itself. After the funds were unlocked, partial refunds were handed out to some bidders. Unfortunately, that locked in the remaining funds.

“We will never be able to access them,” the official Aku Dreams account said.

The team plans to remint the NFTs and make refunds using previously-raised funds.

“The mistakes that were made are no more costly to anyone than myself,” Johnson tweeted on April 23 after promising to continue the project. “I’ve reinvested most everything into building Aku & most everything will go back to refunds and we will keep building what we set out to do. Brick by brick.”