Decentralized music streaming platform Audius suffered a hack with more than $6 million in AUDIO tokens stolen.
The attacker exploited a vulnerability in the platform’s governance smart contract, as detailed by Audius in a postmortem report of the attack. According to Audius, the hacker was able to manipulate the service’s Ethereum-based governance, staking, and delegation contracts due to a bug. Smart contracts are code that essentially write the rules for decentralized platforms to enable them to operate without a centralized intermediary.
Audius uses the Ethereum blockchain for its AUDIO tokens, which was exploited. The attacker altered the Audius voting structure in such that it attempted to delegate 10 trillion AUDIO tokens to hacker-owned wallets to push through governance proposals.
The move didn’t affect the supply of AUDIO tokens, but it did allow the attacker to pass a governance proposal to send the entirety of the community token pool to an external wallet. 18.6 AUDIO tokens were stolen in this manner, worth around $6.1 million at the time of the hack.
Audius says the team was alerted to the attack about 25 minutes after the token transfer started. The team reached out to a white hat web3 hacker to help try and thwart the smart contract exploit attempt. After the team realized the exploit was still active, they developed fixes using the same vulnerability targeted by the hacker.
“The issue has been found and fixes are in progress to get things back to a stable state,” an update from the Audius platform reads. “To prevent further damage, all Audius smart contracts on Ethereum had to be halted, including the token. We do not believe any further funds are at risk.”
While the tokens were worth around $6 million at the time they were stolen, the hacker traded them for much less. The tokens were traded for 705 wrapped ETH – or $1.07 million at the time of writing. After the hacker exchanged the Audius tokens on Uniswap, they moved all the wETH to a crypto mixing service called Tornado Cash, which launders funds in an attempt to conceal their origins.
The hack wipes out the $5 million funding round Audius crowed about back in September 2021.