Crypto Opinions & News Hackers steal $6 million from blockchain music platform Audius

Disclaimer: Any information contained on this forum is provided as general market commentary, and does not constitute investment, financial, trading or other sort of advice.

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,366
The decentralized music platform Audius was hacked over the weekend, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million.

Audius is a decentralized streaming platform hosted on the Ethereum blockchain where artists can earn AUDIO tokens by sharing their music, and users can earn tokens by curating and listening to content.

After a hacker stole $6 million worth of AUDIO tokens this weekend, the platform responded within minutes by freezing several services until the developers could deploy fixes to prevent further theft of tokens.

According to a post-mortem report published by Audius on Sunday, the hacker exploited a bug in the contract initialization code that allowed them to perform repeated invocations of the initialize functions.

This enabled the intruder to transfer 18.5 million AUDIO tokens held by the so-called “community treasury” to their wallet, essentially stealing a significant amount of money and changing the platform's governance dynamics.

Next, the actor attempted to execute four governance proposals, three of which failed and one passed, transferring the entirety of the Audius community pool to the attacker's wallet.

As Audius concluded in the post-mortem report, no new tokens were minted, and the incident had no impact on the circulation of token supply. All remaining user funds are now safe according to the platform.

By late Sunday, the AUDIO token was fully functional again, but the “Staking” and “Delegate Manager” smart contract systems have not resumed operation as the fixes are still being evaluated.

In the meantime, the attacker traded their tokens on Uniswap for only $1.07 million, losing 5/6 of their value, and then passed them through the Tornado Cash mixing service to hide the trail of the stolen funds.
Audius’ contract system has undergone two in-depth security assessments in August 2020 and October 2021 from two different auditors, but neither discovered the exploited vulnerability.

“Audits are not bulletproof, and time spent in the market (and the resulting Lindy effect) can help build confidence but does not rule out opportunities for exploitation,” comments Audius in the post-mortem.

“These contracts were deployed in October 2020, and this vulnerability has been live in the wild since that time.”

This is a teaching moment for Audius and other blockchain-based projects, showing that the required audits do not always find all exploitable bugs.

Another point that Audius promised to improve in the future was its incident response, for which several points for improvement were identified.

While the Audius attack was not as large as those on Axie Infinity's Ronin bridge and Poly Network, where hackers stole over $600 million of tokens from both projects, the hacker still stole a significant number of tokens.

In this case, Audius was lucky that the cyberattack unfolded when most of its team members were awake and could respond quickly to prevent further theft.
 
  • Like
Reactions: Nevi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top