In April 2022, the Akutars NFT project suffered a security incident due to multiple errors in the implementation of its auction smart contract. These errors caused 11,539.5 ETH to be permanently locked within the smart contract.
Inside the Incident
The Akutars smart contract contained multiple logical and implementation errors. The first of these is an out-of-gas Denial of Service (DoS) vulnerability. Each instruction in the Ethereum virtual machine has a gas cost associated with it, and Ethereum blocks have a limit on the amount of gas that they can consume. As a result, the number of instructions that can be performed in an Ethereum transaction before it runs out of gas and is reverted is limited.
The Akutars smart contract’s processRefunds function performs transfers to users’ accounts that, if these accounts contain a smart contract, execute the fallback function of that smart contract. Since these calls do not restrict the gas usage of the fallback function, a malicious smart contract could consume all available gas, causing the transaction to be reverted.
This DoS vulnerability was never triggered, but the smart contract code included a bigger issue. The refund function included checks intended to verify that a user didn’t attempt to claim the same refund twice. However, instead of comparing the refundProgress variable to bidIndex, it required that refundProgress be greater than or equal to totalBids.
The value of refundProgress will never be equal to totalBids, so all attempts to claim refunds from the smart contract will fail. As a result, the 11,539.5 ETH deposited into the smart contract is locked there permanently.
Lessons Learned From the Incident
The Akutars incident was made possible by two basic errors in the auction smart contract. The DoS vulnerability is a common error, and the incorrect progress check was a mistake in the implementation of the contract’s core business logic.
Both of these errors could have been detected and corrected during a smart contract audit. The failure to do so resulted in the permanent loss of approximately $34 million in ETH within the vulnerable smart contract.