How an NFT creator lost $34 million due to a smart contract error
Due to a simple smart contract error during a new NFT launch, $34 million in ETH is locked away from both the creator and buyers, as of Friday.
On April 22, major league baseball player turned non-fungible token artist Micah Johnson launched his much awaited Akutars, a collection of unique 3D avatars based on his popular Aku NFT series. Johnson’s popular NFT character Aku—a young Black boy with dreams of being an astronaut who wears an oversize space helmet—has gotten the celebrity support of Pusha T, Tyra Banks, Trevor Noah, and others, and has generated over $19 million in sales.
Minutes after the NFT launch, Hasan Gondal, a software engineer and the founder of the software company, Afraid Labs, warned of an issue with the smart contract. But Gondal confirmed shortly after that Aku team software developers told him he was “wrong” and that the code was operational.
“A smart contract transforms the legal language we use to do business into code, then bakes this onto a blockchain, becoming immutable,” Konstantin Richter, CEO of Blockdaemon, a blockchain infrastructure company, told Fortune.
While smart contracts aren’t exclusive to NFT projects and exist on the Ethereum blockchain—which is a public and decentralized record of cryptocurrency transactions—they are an essential aspect of NFT sales functioning smoothly.
Smart contract flaws increase a crypto or NFT project’s attack vector, in Richter’s opinion, because they live on public blockchains and the flaws can be exploited by bad actors. And the consequences of these flaws can be massive—from lost money to entire crypto communities dissolving.
The first incident
“Micah and the developers were on a call with me and they said ‘We have some sort of safeguards in place,’” Gondal told Fortune. “It was such a big mint and I knew a tweet like mine could affect whether or not they sell out, for example. I didn’t want to cause any trouble for them. So I said ‘Yeah, it looks fine.’ And then maybe a half hour later, someone had exploited the issue.”
Unfortunately, the smart contract did have vulnerabilities, which an anonymous user named USER221 then exploited, halting both Ethereum withdrawals and refunds, according to a thread by Ethereum developer 0xInuarashi.
USER 221 urged the Aku team to “please do bug bounty on your contracts or have them audited at least,” as reported by Decrypt. And after having a bit of “fun” the user announced they would not exploit the vulnerability if the Aku team publicly acknowledged that the flaw existed, citing Decrypt.
The second incident
Once the project was up and running again in a matter of hours, a second incident occurred where the Aku team’s smart contract code failed to account for multiple NFT mints within the same transaction, per a thread by Ethereum developer 0xInuarashi. This error in the smart contract led to 11,539 ETH—worth about $34 million as of Friday—being permanently locked in the smart contract, citing Decrypt. The funds are entirely inaccessible to both Aku’s creators and relevant customers.
“There’s actually another twist to this story,” Gondal told Fortune. “Someone exploited this contract very early on and they locked the funds. If the team would have noticed that withdrawal error when it was just a small mistake, basically, and if the attacker left it locked for three days where nobody else could process refunds, after three days, everyone would get their money back. But how things are currently, the funds are locked now, forever. It’s a very, very unique circumstance.”
This conundrum could have been avoided with thorough audits, according to Craig Palmer, CEO of MakersPlace, a NFT digital art marketplace.
“Not having the proper safeguards in place will leave projects open to hacks, but an even more preventable mistake in this case, a poorly written code which led to $34 million worth of ETH locked away, will only leave everyone upset and questioning your legitimacy,” Palmer, told Fortune. “It’s extremely important to ensure that smart contracts can run as intended, so double- and triple-checking them before a drop is paramount. Therefore, ensuring audits take place before the contract goes live is essential to ensuring a safer digital industry and thereby providing a higher level of comfort for the community.”
Johnson has since tweeted an apology for the error and assured patrons that they will receive refunds, calling the technological misfires during the Akutars launch “costly” to himself.
In light of recent events, it is clear that smart contracts can be a double-edged sword—with the potential to be both convenient and catastrophic. Here’s everything you need to know about smart contracts to navigate them safely.
What is a smart contract?
Smart contracts are digital contracts that are programmed to execute when preset conditions are met. They are considered “smart” because they can automate any type of transaction, no matter how complex it is. In short, without an intermediary like a bank, smart contracts can automatically execute agreements such as loans, sales, and other financial transactions, in a way that is both trackable and irreversible.
The irreversibility of smart contract transactions means there generally isn’t an opportunity for a “do-over,” according to Anthony Mongiello, CEO and cofounder of the Bulls and Apes Project, a generative NFT collection.
“Smart contracts are pieces of code that live on the blockchain,” Mongiello, told Fortune. “These pieces of code control the transfer of ownership to what could wind up being an extremely valuable asset, maybe even someone’s most valuable asset. Yet the common person has very little or no experience reading code. So now you have a situation where NFT holders are putting an incredible amount of trust in projects and founders to handle the ownership of this asset appropriately. Founders need to appreciate this trust and do whatever it takes to ensure the safety of their community.”
Mongiello’s advice to NFT and crypto professionals is to use reputable technology professionals, and also have the work audited by a reputable firm and reputable technologists in the Web3 space.
Flaws in a smart contract can create vulnerabilities. Here’s how to solve for them.
“Creators have many things to think about when developing an NFT or crypto project,” Nick Percoco, chief security officer at Kraken, a cryptocurrency exchange and bank, told Fortune. “If a project is not rigorously tested and reviewed, any minor flaw or vulnerability may be exploited in the future. In the best-case scenario, these may cause a minor inconvenience. However, in the worst case, these may result in the loss of millions of dollars worth of funds.”
Percoco thinks a big step towards more secure smart contracts is the use of “standardized” contracts as a base. He recommends that NFT founders make use of existing standard libraries that contain well-reviewed smart contracts that can be used as a base for their new NFT projects.
“Standardization reduces the overhead costs of verifying the security of the NFT, as only the nonstandard parts have to be reviewed,” Percoco told Fortune. “While those are still critical, they tend to be much less complex. Through these processes, the industry continues to learn and improve upon the security of smart contracts.”
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.