For background information on the Aku NFT project, please see "Aku, the first NFT optioned for the big screen, offers a glimpse into the future of IP and entertainment"
"Web3, we have a problem." On April 22, the highly anticipated Akutar NFT drop, the latest collection in the famed Aku series by pioneer NFT artist Micah Drew Johnson, ended in catastrophe as the founders discovered that logic programmed into their smart contract resulted in 11,539.5 ETH-over thirty four million dollars-being locked inside the smart contract forever.
What's a smart contract?
A smart contract is computer code deployed onto a blockchain -- here, the Ethereum blockchain network. Like a vending machine, smart contracts are designed to be self-executing, meaning they operate without human intervention. Smart contracts are the key technology behind non-fungible token (NFT) projects, enabling the minting (i.e., creation), auction, sale, purchase, transfer, and recordation of ownership of NFTs. Smart contracts also act like escrow agents, with the power to receive, store, and distribute the proceeds from NFT sales according to rules-or logic-incorporated into the smart contract's computer code.
What happened with the Akutar smart contract?
- The smart contract governing the Akutar NFT sale had at least
two major bugs: the first was temporarily exploited by a
"white hat" hacker, and the second froze the NFT team out
of $34 million.
- First, the smart contract was intended to let the lowest bidder
in a Dutch Auction set the price for
all NFTs in the collection and to refund all higher bidders the
difference between that price and their bids.
- The smart contract developer, who remained anonymous to the
team, added in a feature that allowed them to lock and unlock the
function to process refunds. This feature was exploited.
- The anonymous developer agreed to allow refunds to process
only after the Akutar team publicly acknowledged that the exploit
existed-apparently in an attempt to bring attention to best
practices for NFT project launches.
- Second, though some refunds are being processed for bidders, an unrelated bug, which involves a simple counting error, prevents the Aku team or the developer from ever withdrawing any of the sale proceeds. Those $34M (as of today), which can be seen locked in the smart contract here, are gone forever.
Following news of the smart contract failure, the Aku and larger NFT communities offered words of support to creator Micah Drew Johnson and the Aku World team, who expressed that they are resiliently committed to their mission of proving that "no dream is too big and no obstacle is too large."
While tragic, this turn of events serves as an important wake up call for the NFT and Web3 community. The smart contract is by far the most critical component of any Web3 or NFT project. Its role, capabilities, and limitations are widely misunderstood. Smart contracts are rightly heralded for their power to eliminate human intermediaries from transactions. Ultimately, though, they are computer programs created by humans who can make mistakes or act maliciously.
Smart contracts are encoded on blockchains, which make them immutable. This immutability, decentralization, and lack of human involvement create the so-called "trustless" environment that distinguishes blockchain technology from traditional systems of exchange. These same characteristics that enable the power, promise, and wonder of blockchain applications also create incredible risk. Once a smart contract is deployed and executed to mint and transfer NFTs, it cannot be modified. If there's an error in the logic of the code and a failure of any integrated fail-safes, there is little to no recourse available to remediate the problems. Like cash or candy stuck in a broken vending machine, cryptocurrency and digital tokens may be stuck in a broken smart contract, but there is no ability to reach inside, smash the glass, or otherwise retrieve any assets.
Key takeaways:
- Web3 communities and NFT project leaders put tremendous trust
in smart contracts and, by necessity, the developers behind
them.
- Smart contracts are not the area to skimp on when launching an
NFT or other blockchain project! The importance of hiring
experienced, credible, trustworthy developers cannot be
overstated.
- Building in traditional contractual requirements to develop
smart contract code free from vulnerabilities and to debug
(including via "bug bounty" programs), test, and audit
code is an absolute necessity for any blockchain-based
project.
- Partners should decide in advance how to allocate risk between
the parties arising from a defective smart contract.
- As the industry evolves, insurance will likely become a key component in the ecosystem, as will credible, third party smart contract auditors.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.