Crypto hacks have become quite frequent in the last year with platforms such as Poly Network, Crypto.com, BitMart, and others losing cryptocurrencies worth millions of dollars. The latest crypto heist is an attack on blockchain music streaming platform Audius.
Audius announced that a malicious governance proposal tagged Proposal #85 which requested the transfer of 18 million AUDIO tokens (its platform’s token) worth $6.1 million from its community treasury got approved via an exploit.
Hello everyone – our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.
If you'd like to help our response team, please reach out.
— Audius 🎧 (@AudiusProject) July 24, 2022
The approval which came on Sunday was first noticed by a Twitter account with the handle Spreekaway. The hacker(s) created the malicious proposal and was able to initialize and make himself the sole guardian of the governance contract.
Audius is a decentralized music streaming protocol that enables artists to monetize their talents using its governance and utility token called AUDIO. The AUDIO token can be used on both Ethereum and Solana’s networks thanks to the cross-chain capabilities it possesses. While proposals in the crypto space help communities make consensual decisions, the passing of a malicious governance proposal made Audius lose $6.1 million worth of AUDIO tokens which the hacker sold for $1.1 million.
“This was an exploit. Not a proposal proposed or passed through any legitimate means. It just happened to use the governance system as the entry point for the attack,” Audius co-founder and CEO Roneil Rumburg said emphasizing that the community did not pass a malicious proposal.
Audius said that its investigations revealed the unauthorized transfer of AUDIO tokens from the company’s treasury. The platform paused all of its smart contracts and AUDIO tokens on the Ethereum blockchain to avoid further losses.
It has since resumed token transfers adding that the “Remaining smart contract functionality is being unpaused after thorough examination/mitigation of the vulnerability.”
According to Peckshield, the hack was a result of Audius’ storage layout inconsistencies. Although the hacker stole 18 million tokens worth $6.1 million, it was soon sold for $1.1 million. While this dumping resulted in maximum slippage, investors recommended an immediate buyback to prevent existing investors from dumping and further lowering the token’s floor price.
The issue of @AudiusProject lies in inconsistent storage layout between its proxy and impl. In particular, the collision of Audius Community Treasury contract results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a role here. pic.twitter.com/x4CqRncahp
— PeckShield Inc. (@peckshield) July 24, 2022
Although this shouldn’t be a question, which platform is next? Because it seems like hacks on crypto platforms are here to stay.