Hackers Stole $6 Million from Audius after Passing A Malicious Governance Proposal

TL: DR
- An attacker stole AUDIO tokens worth more than $6 million from Audius, a Web3 music platform.
- The attacker was able to withdraw more than 10 trillion worth of AUDIO tokens from the platform and exchange them for Ethereum. They then traded the ETH for cash through an exchange platform.
- According to the CEO of Audius, the loophole the attacker used has been mitigated and cannot be re-exploited.

Keywords: Audius, AUDIO, ETH, Tokens, Attackers, Governance proposal.


Crypto proposals are means of achieving consensus among blockchain communities. However, a hack occurred as a result of the passing of a malicious governance proposal. A decentralized music platform, Audius, lost $6.1 million in tokens, with the attacker pocketing $1 million.

During a hack on July 23, Audius, a decentralized music streaming platform, was exploited through a vulnerability in its governance smart contract code. As a result, the attacker stole around $6.05 million in AUDIO tokens, the platform's native cryptocurrency. The attacker succeeded with their plans when the community approved the malicious proposal tagged Proposal #85. As a result, AUDIO tokens worth 18 million were transferred. According to an account on Twitter, speekaway, the attacker created malicious proposals to call, initialize, and set themselves as the government contracts' sole agent.


How the Attacker carried out the theft

---

According to Audius' post-mortem of the attack, the attacker found a flaw in the initialization code that allowed him to manipulate Audius' governance, staking, and delegation contracts. The initialization code is a type of code that allows a decentralized platform to carry out operations without relying on centralized administrators.

Using the exploit, the attacker redefined voting on Audius and tried to delegate 10 trillion AUDIO tokens twice to their wallets. Based on the report, the attacker's first attempt failed, but he succeeded with his second malicious proposal.

In this way, the attacker could transfer 18,564,497 AUDIO tokens to an Ethereum wallet and steal them.

Based on blockchain data from the attacker's wallet, the attacker swapped the stolen tokens for 704.17 Ether (ETH), worth more than $1.09 million at the time on Uniswap.

Audius discovered the exploit more than half an hour after the attacker delegated 10 trillion AUDIO tokens. After the discovery, the team implemented the initial fix. However, at the time of this report, all contracts on the platform are being upgraded, so some functionalities are currently unavailable.







Audius Response To the Hack

---

Roneil Rumburg, Audius' co-founder and CEO, told Cointelegraph that no malicious proposal was passed:

"This was an exploit — not a proposal proposed or passed through any legitimate means — it just happened to use the governance system as the entry point for the attack."


According to Audius, an unauthorized third party robbed the company's treasury of AUDIO tokens. After this disclosure, Audius proactively halted all Ethereum-based smart contracts and AUDIO tokens as a precaution. After a thorough examination/mitigation of the vulnerability, the company recommenced token transfers shortly afterward.

According to blockchain investigator Peckshield, Audius' inconsistencies were the cause of the problem.


After the attacker's governance proposal drains 18 million tokens worth nearly $6 million from the company's treasury, they are quickly dumped and resold for $1.08 million. Investors recommended an immediate buyback following the dumping to prevent additional dumping and further lower the token's floor price.


Conclusion

---

According to Audius' co-founder and CEO, Roneil Rumburg, the root cause of the exploit had been mitigated and could not be re-exploited. In addition, the community treasury remains separate from the foundation treasury, thus protecting the remaining funds.




Author: Gate.io Observer: M. Olatunji
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.