For general information on the Aku NFT project, please see “Aku, the first optional NFT for the big screen, offers a glimpse into the future of IP and entertainment”
“Web3, we have a problem.” On April 22, the highly anticipated Akutar NFT drop, the latest collection in the famous Aku series by pioneering artist NFT Micah Drew Johnsonended in disaster when the founders discovered that logic was programmed into their smart contract 11,539.5 ETH, or over thirty-four million dollars, was locked away in the smart contract forever.
What is a smart contract?
A smart contract is computer code deployed on a blockchain – here, the Ethereum blockchain network. Like a vending machine, smart contracts are designed to be self-executing, meaning they work without human intervention. Smart contracts are the key technology behind non-fungible token (NFT) projects, enabling the minting (i.e. creation), auctioning, selling, buying, transferring and registration of ownership of NFTs. Smart contracts also act as escrows, with the power to receive, store and distribute proceeds from NFT sales according to rules – or logic – embedded in the computer code of the smart contract.
What happened with the Akutar smart contract?
- The smart contract governing the sale of Akutar NFT had at least two major bugs: the first was temporarily exploited by a “white hat” hacker, and the second froze the $34 million NFT team.
- First, the smart contract was intended to let the lowest bidder of a Dutch auction fix the price of all the NFTs in the collection and reimburse all the highest bidders the difference between this price and their bids.
- The smart contract developer, who remained anonymous to the team, added a feature that allowed them to lock and unlock the refund processing feature. This functionality has been exploited.
- The anonymous developer agreed to allow refunds to be processed only after the Akutar team publicly acknowledged the existence of the exploit, ostensibly in an effort to draw attention to best practices for NFT project launches.
- Second, although some refunds are being processed for bidders, an unrelated bug, which involves a simple counting error, prevents the Aku team or the developer from withdrawing the product from sale. This $34 million (to date), which can be seen locked into the smart contract hereare gone forever.
Following news of the failed smart contract, the wider Aku and NFT communities offered words of support to creator Micah Drew Johnson and the Aku World team, who said they were engaged with resilience on their mission to prove that “no dream is too big and no obstacle is too big”.
Although tragic, this turn of events is an important red flag for the NFT and Web3 community. The smart contract is by far the most critical component of any Web3 or NFT project. Its role, capabilities and limitations are widely misunderstood. Smart contracts are rightly hailed for their power to eliminate human intermediaries from transactions. Ultimately, however, these are human-made computer programs that can make mistakes or act maliciously.
Smart contracts are encoded on blockchains, which makes them immutable. This immutability, decentralization, and lack of human involvement creates the so-called “trustless” environment that sets blockchain technology apart from traditional exchange systems. These same characteristics that enable the power, promise and wonder of blockchain applications also create incredible risk. Once a smart contract is deployed and executed to mint and transfer NFTs, it cannot be modified. If there is an error in the logic of the code and a failure of one of the built-in vaults, there is little or no recourse available to resolve the issues. Like cash or candy stuck in a broken vending machine, cryptocurrency and digital tokens can be stuck in a broken smart contract, but there is no possibility of reaching inside, breaking the window or recover assets.
Key points to remember:
- Web3 communities and NFT project managers place enormous trust in smart contracts and, by necessity, the developers behind them.
- Smart contracts are not the area to skimp on when launching an NFT or other blockchain project! The importance of hiring experienced, credible and trustworthy developers cannot be overstated.
- Building within traditional contractual requirements to develop smart contract code free of vulnerabilities and to debug (including through bug bounty programs), test and audit code is an absolute necessity for any blockchain-based project.
- The partners must decide in advance how to allocate the risks between the parties arising from a faulty smart contract.
- As the industry evolves, insurance will likely become a key part of the ecosystem, along with credible third-party smart contract auditors.