An unidentified threat actor managed to steal $6 million worth of Audio tokens from the popular decentralized music platform Audius over the weekend.
The platform is run by an open source community of over 5 million unique users, including artists’ fans and developers who can connect directly via the streaming services’ social media features.
According to the blockchain-powered streaming service, the hacker exploited a flaw in the contract initialization code, transferring 18MM $AUDIO tokens from the community treasury into his wallet.
“On July 23, 2022, the Audius governance, staking, and delegation contracts on Ethereummainnet were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions,” Audius said in a post-mortem report.
“The bug allowed an attacker to maliciously transfer 18MM $AUDIO tokens held by the Audius governance contract (referred to as the “community treasury”) to a wallet of their control and modify dynamics of the voting system to illicitly change their staked $AUDIO amounts in the network.”
After unlawfully transferring the funds, the attacker traded the stolen tokens for a little over $1 million and used the Tornado Cash service protocol to obscure the origin of the funds.
Fortunately, Audius developers quickly deployed a fix, preventing further financial damage.
“The vulnerability was mitigated within a few hours of discovery, and work is continuing to examine the storage modifications made by the attacker and to ensure safe resumption of the remaining Audius smart contract systems (Staking and DelegateManager),” Audius added.
“The vast majority of Audius foundation, team, community (eg. via staking) and other funds associated with the ecosystem are safe and were unaffected by this incident. Work is in progress in collaboration with the community on possible remediations for the loss of funds, and we are fortunate that many options are still available. These will be discussed over coming weeks in the Audius governance forum, discord, and other venues before being proposed to the Audius governance process.”