How a Simple Logic Error Locked $34 Million in an NFT Contract

On April 23, Solidity developer foobar announced on Twitter that 11,539 ETH (valued at roughly $34 million, about 2 billion RMB) is permanently locked in the AkuDreams contract of the Akutar NFT project, making the funds irretrievable by either users or the development team.

The contract contains two major vulnerabilities. Vulnerability 1 resides in the processRefunds function, where refunds are issued inside a loop using the call method and the call’s return value is directly used in a require statement. An attacker who intercepts a refund can trigger a malicious revert in the fallback function, causing the require to fail and halting the entire refund queue.

Because the queue stops at the malicious address, every subsequent user in the queue is unable to receive a refund, effectively freezing the refund process.

Vulnerability 2 is found in the claimProjectFunds function, which is intended to let the project owner withdraw only after all refunds are completed. The code checks require(refundProgress >= totalBids). Here refundProgress counts how many users have been refunded, while totalBids counts the total number of NFT bids, which can be larger because a single user may place multiple bids. Consequently, the condition can never be satisfied, preventing the owner from ever executing a withdrawal.

Further, the processRefunds function also contains require(_refundProgress < _bidIndex). The contract reports bidIndex = 3669 (the number of distinct bidders) and totalBids = 5495. Since the logic requires refundProgress >= 5495 and simultaneously refundProgress < 3669, the condition is impossible, locking the funds permanently.

The likely cause is a simple typo: the developer intended to compare against bidIndex (the number of purchasers) but mistakenly used totalBids, a low‑level mistake that resulted in a multi‑million‑dollar loss.