Threat actors broke into the decentralized music platform Audius over the weekend and stole more than 18 million AUDIO tokens, which are currently valued at about $6 million. Audius is a decentralized streaming service that runs on the Ethereum blockchain. Users may receive tokens by curating and listening to content, while artists can get AUDIO tokens by sharing their music.
This weekend, a hacker stole AUDIO tokens valued at $6 million. The platform immediately froze many services while engineers released solutions to stop future token theft. According to a post-mortem report released by Audius, the hacker used a weakness in the contract initialization code to carry out multiple invocations of the initialize methods. This made it possible for the hacker to move 18.5 million AUDIO tokens from the platform’s purported “community treasury” to their wallet, thereby stealing a substantial sum of money and altering the governance dynamics.
The whole Audius community pool was then transferred to the attacker’s wallet after the actor made four governance proposal execution attempts, three of which were unsuccessful and one successful. No new tokens were created, and the event did not affect the number of tokens in circulation, as Audius stated in the post-mortem study. As per the platform, all user money that was still available is now secure. The AUDIO token was back in service late Sunday, but the “Staking” and “Delegate Manager” smart contract systems have not since the changes are still being assessed.
To obscure the trail of the stolen money, the attacker moved their tokens through the Tornado Cash mixing service while simultaneously trading them on Uniswap for just $1.07 million, losing 5/6 of their value. Two separate auditors performed two comprehensive security audits of Audius’ contract system in August 2020 and October 2021, but neither of them found the exploited vulnerability.
“Audits are not bulletproof, and time spent in the market (and the resulting Lindy effect) can help build confidence but does not rule out opportunities for exploitation,” comments Audius in the post-mortem. “These contracts were deployed in October 2020, and this vulnerability has been live in the wild since that time.”
This serves as a lesson for Audius and other blockchain-based projects, demonstrating that not all exploitable flaws are always discovered during the needed audits. Another area for improvement recognized by Audius was the incident response, which the company pledged to do in the future.
The hacker nevertheless took a sizable number of tokens from the Audius project, even if the assault was not as major as that on Axie Infinity’s Ronin bridge and Poly Network, where hackers stole more than $600 million worth of tokens from both projects. In this instance, Audius was fortunate that the hack occurred while most of its employees were awake and available to act promptly to stop other theft.