The decentralized music platform Audius was hacked over the weekend, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million.
Audius is a decentralized streaming platform hosted on the Ethereum blockchain where artists can earn AUDIO tokens by sharing their music, and users can earn tokens by curating and listening to content.
After a hacker stole $6 million worth of AUDIO tokens this weekend, the platform responded within minutes by freezing several services until the developers could deploy fixes to prevent further theft of tokens.
According to a post-mortem report published by Audius on Sunday, the hacker exploited a bug in the contract initialization code that allowed them to perform repeated invocations of the initialize functions.
This enabled the intruder to transfer 18.5 million AUDIO tokens held by the so-called “community treasury” to their wallet, essentially stealing a significant amount of money and changing the platform’s governance dynamics.
Next, the actor attempted to execute four governance proposals, three of which failed and one passed, transferring the entirety of the Audius community pool to the attacker’s wallet.
As Audius concluded in the post-mortem report, no new tokens were minted, and the incident had no impact on the circulation of token supply. All remaining user funds are now safe according to the platform.
By late Sunday, the AUDIO token was fully functional again, but the “Staking” and “Delegate Manager” smart contract systems have not resumed operation as the fixes are still being evaluated.
In the meantime, the attacker traded their tokens on Uniswap for only $1.07 million, losing 5/6 of their value, and then passed them through the Tornado Cash mixing service to hide the trail of the stolen funds.
Exploited system was audited twice
Audius’ contract system has undergone two in-depth security assessments in August 2020 and October 2021 from two different auditors, but neither discovered the exploited vulnerability.
“Audits are not bulletproof, and time spent in the market (and the resulting Lindy effect) can help build confidence but does not rule out opportunities for exploitation,” comments Audius in the post-mortem.
“These contracts were deployed in October 2020, and this vulnerability has been live in the wild since that time.”
This is a teaching moment for Audius and other blockchain-based projects, showing that the required audits do not always find all exploitable bugs.
Another point that Audius promised to improve in the future was its incident response, for which several points for improvement were identified.
While the Audius attack was not as large as those on Axie Infinity’s Ronin bridge and Poly Network, where hackers stole over $600 million of tokens from both projects, the hacker still stole a significant number of tokens.
In this case, Audius was lucky that the cyberattack unfolded when most of its team members were awake and could respond quickly to prevent further theft.