Micah Johnson Akutars NFT Fails
Thanks to the runaway success of the Bored Ape Yacht Club, there's a pretty standard model for running a blockbuster non-fungible token (NFT) collection in 2022.
It hinges on the concept of communities as companies, with an NFT as a form of membership. In the way a traditional company might issue stock, making each stockholder a part owner, crypto communities launch NFT collections, making holders into "members" of varying influence.
Say you have an online community going, maybe a Twitter following, a fanbase, a group chat or a kind of amorphous online social club. You give (or sell) each person involved in that community their own NFT, sort of like a digital membership pass. These passes become the only way in. As a member, you can either sell your pass to someone outside the community – maybe a speculator, maybe just an enthusiastic spectator – or hold onto it in the hopes of receiving special members-only perks down the line. (Whether the Securities and Exchange Commission will one day see these NFTs as investment contracts is something of an open question.)
Those perks essentially amount to "access" in a variety of different forms. As an NFT holder, you'll get first dibs on future NFT projects from the community, and potentially have some small say in how those projects play out. Maybe your status as a holder entitles you to 10,000 COMMUNITY tokens, or a special NFT profile picture for flexing your membership on Twitter and Discord.
The community's founding leadership team usually makes all the business decisions and controls the greatest number of NFTs, but there's a sense in which the collective makes or breaks the project. There's rarely any sort of lock-up period, or rules around what creators and shareholders – sorry, uh, NFT holders – can or can't do with their membership passes.
This was the conceit behind Crypto Packaged Goods, the NFT collective founded by venture capitalists Chris Cantino and Jaime Schmidt last fall, and Proof, a similar effort helmed by erstwhile Web 2.0 entrepreneur Kevin Rose. When Proof launched a new NFT collection earlier this month, existing members were given the opportunity to invest before the general public.
And while that NFT collection, Moonbirds, was mostly a success, generating $58 million for the company's treasury, the model of an NFT project used to raise capital comes with its own sort of risks.
Exploited?
This past weekend, a crypto community led by the former pro baseball player Micah Johnson raised about $35 million with an NFT launch. Shortly after, it announced that it had lost all of the money.
Johnson has spent the past year promoting a brand called Akuverse, essentially a crypto media company built around a spacefaring mascot called Aku. On Friday, it planned to drop "Akutars," the official NFT avatars of the Aku universe (similar to how Proof framed the Moonbirds launch). Prices would start high, at 3.5 ETH (around $10,000), but were set to descend as the sale progressed.
Because all the code for the NFT launch mechanism was already public in smart contracts deployed to the Ethereum blockchain, anyone with an internet connection could take a peek at the NFTs' inner workings. It's good for transparency, but bad for security: An hour or so after the sale began, someone was able to use that foreknowledge to exploit the Akutars smart contract.
The exploiter even left a message in the malicious transaction:
"Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn't have used coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately. - USER221"
While the exploit didn't completely break the contract, it set off a chain reaction that ended with $35 million in ETH being "locked" in the treasury. Because code deployed on Ethereum is "immutable" and can't be modified, the developers have no recourse, and the funds are permanently lost.
The next day, developers used the official Akuverse Twitter account to ask for help creating a new version of the contract.
"We are looking for any code reviewers and auditors to help double and triple check out [sic] minting contract," the company wrote. "Please @ us!" The new plan was to send Akutars to existing Akuverse members for free, and process partial refunds for anyone who put money into that initial faulty contract.
Amazingly, this seems to have appeased the Akuverse community. Traders spent the weekend praising Micah Johnson for agreeing to start the Akutars launch over, "brick by brick," rather than just abandoning the project. The community launched a hashtag, #weareaku as a show of solidarity with the embattled developers and pushed back against skepticism. It's also widely believed that the initial exploiter was actually a Good Samaritan looking to expose – rather than abuse – the faulty code.
If everyone gets their refunds, it will be the Aku team, not the community, taking the $35+ million loss.
Code is law
There's an old principle, in crypto, that "code is law." Once you've deployed your smart contracts on the blockchain, they're only ever going to run one way. This makes it difficult to fix bugs after the fact.
Developers can update their code after reviews or audits but doing so means migrating assets over to an entirely new contract. It's part of why the industry's security philosophy hinges on the "DYOR" ethos – "do your own research," an extreme emphasis on personal responsibility. Because much of the code is transparent and updates remain burdensome, it's generally accepted that errors are the responsibility of users, rather than just developers.
So, what happens when the "law" includes a system-breaking bug? There's no bank to appeal to, no fail-safe that might recover lost funds.
This is the potential cost of doing things entirely on-chain. If crypto-backed communities are the new companies, and NFT projects a new mode of raising capital, then who's responsible for these sorts of slipups?
Say an early-stage startup raises a few million dollars, and then immediately loses the money; even if it stems from an honest mistake, it's hard to imagine investors would just be fine with that. The startup couldn't throw up its hands and claim "code is law" – it wouldn't hold up in court.
Ultimately, someone is responsible for the loss of funds. But because it's the Aku brand taking the losses, and because Micah Johnson and his team apparently have the resources to just shell out $35+ million to Aku investors, community members don't seem too mad about the mistake.
The Akutars debacle is a warning for the community-as-company NFT model. Once the code collapsed, Aku investors were effectively at the mercy of this one guy. Who's to say the next Micah Johnson won't just jump ship the moment things go south?
–Will Gottsegen
Drugs, Drugs and More Drugs: Crypto on the Dark Web