How Attackers Stole Around $1.1M Worth of Tokens From Decentralized Music Project Audius

The sophisticated exploit involved attackers passing a malicious governance proposal by exploiting smart contracts.

AccessTimeIconJul 25, 2022 at 11:30 a.m. UTC
Updated May 11, 2023 at 6:42 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

About $1.1 million worth of Audius’ AUDIO tokens were stolen over the weekend in a sophisticated attack that involved the project’s governance forums.

Audius, a tokenized music streaming project, relies on community voting and governance to make decisions. On Saturday, a malicious proposal saw attackers put up a fake post and manipulate token votes to steal funds.

The attackers initially floated “Proposal #84,” which delegated 10 trillion AUDIO internally to the staking contract (with no token supply change). That transaction failed because no votes were cast on the proposal.

Attackers then floated “Proposal #85,” which requested the transfer of 18 million AUDIO tokens in a governance vote. The attackers were then “able to call initialize() and set himself as the sole guardian" of that governance contract, Audius developers explained in a post-mortem report on Monday.

The initialize() function gives a program its initial data point in a smart contract. That allowed the attacker to control the governance proposal solely and transfer tokens as the proposal was passed.

After Proposal #85 was put up, a transaction was executed that delegated 10 trillion AUDIO toward the votes, thus skewing the proposal in favor of the attacker. Circulating supply was unaffected, but the proposal passed as the erroneous votes were able to trick Audius’ smart contacts. That allowed the attackers to maliciously transfer 18 million AUDIO tokens held by the Audius governance contract, referred to as the “community treasury, to a wallet of their control."

The stolen tokens were then exchanged for more than 700 ethers (ETH), worth around $1.08 million at the time of writing, on privacy swap service Tornado Cash, blockchain data of the attacker’s wallet –0xa62c3ced6906b188a4d4a3c981b79f2aabf2107f – shows.

Meanwhile, Audius developers said a bug allowed the attacker to pass the initialize() function. “The Audius governance, staking, and delegation contracts on Ethereum mainnet,” developers explained in the post-mortem.

“[These] were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions,” they added.

The set of exploited contracts was previously audited by the OpenZeppelin team, but the vulnerability wasn't caught at the time, Audius developers said. All remaining funds are safe and fixes have been deployed as of Monday.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Read more about