Hacker drains about $6 million from Audius, the decentralised platform

On July 23, an unknown attacker siphoned roughly $6 million in digital assets from the community treasury of the decentralised streaming platform Audius. The intruder modified the smart contract configuration and initiated a malicious governance proposal.

Hello everyone — our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.

If you’d like to help our response team, please reach out.

— Audius 🎧 (@AudiusProject) July 24, 2022

“Our team is aware of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating the incident and will report back on the investigation results later,” according to the developers’ statement.

According to the security-focused firm CertiK, the attacker modified the smart contract configuration, allowing them to assign themselves the role of \”guardian\” and change the voting period.

Subsequently, the attacker posted a governance proposal that envisaged transferring 18 million AUDIO to an external wallet, and voted in its favour.

(1/2) The attacker called the \”initialize\” function in the Audius governance contract to modify configurations (through re-initialization) such as \”voting period\”, \”execution delay\», \”guardian address\”.

Then the attacker submitted the malicious proposal(ID 85).

— CertiK Alert (@CertiKAlert) July 24, 2022

At the time of the attack, the market value of the stolen assets was around $6 million, but due to significant price slippage the hacker sold them for 705 ETH (approximately $1.14 million). According to Etherscan, the attacker transferred the funds to the Tornado Cash mixer address.

PeckShield analysts noted that the attacker managed to gain access to the Audius treasury due to inconsistencies between components of the project’s treasury storage system.

The issue of @AudiusProject lies in inconsistent storage layout between its proxy and impl. In particular, the collision of Audius Community Treasury contract results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a role here. pic.twitter.com/x4CqRncahp

— PeckShield Inc. (@peckshield) July 24, 2022

To prevent further losses, Audius developers paused the platform’s smart contracts. On July 24, the team resumed the AUDIO contract.

In the second quarter of 2022, total losses across crypto projects from hacks and fraud exceeded $670 million, according to Immunefi.

Follow ForkLog’s Bitcoin news on our Telegram — crypto news, prices and analysis.