- A hacker compromised the Audius governance protocol and stole $6 million worth of AUDIO tokens over the weekend
- The hacker managed to create and approve a governance vote to allow him the tokens
- The hacker sold the coins immediately, crashing the price and getting away with $1 million
A hacker has found a unique way of stealing a million dollars by exploiting the Audius protocol proposal voting mechanism. The hacker managed to create and pass a malicious proposal to award himself 18 million AUDIO tokens, worth $6.1 million, getting away with $1 million worth. Audius alerted its followers to the hack yesterday which came from the community treasury and released a post mortem over the weekend which explained how the hack took place.
Hello everyone – our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.
If you’d like to help our response team, please reach out.
— Audius 🎧 (@AudiusProject) July 24, 2022
Community Treasury Hit
Audius reported that the exploit was carried out on the Audius governance, staking, and delegation contracts and that the hacker took advantage of a “bug in the contract initialization code” which allowed repeated invocations of the ‘initialise’ functions. This bug allowed the attacker to create and approve a proposal to issue himself the AUDIO tokens from the Audius governance contract (referred to as the “community treasury”) and withdraw them to his own wallet.
The hacker then took the tokens to a decentralised exchange where he quickly sold the tokens for whatever he could get, temporarily crashing the price and making away with just one sixth of the value.
Smart Contract Audit Didn’t Spot Vulnerability
Audius reassured users that the tokens were taken from an existing wallet and were not newly minted tokens, meaning that the supply was not affected. The team added that “audits are not bulletproof” and said that the impacted contracts were deployed in October 2020, with the vulnerability being “live in the wild” since then.
The Audius contract was checked by OpenZeppelin in August 2020 prior to its launch, with the vulnerability not spotted at the time.