Web3 music streaming app Audius suffered an attack on its community treasury, resulting in the loss of $6M of AUDIO tokens. Here’s how it happened.
Blockchain-based audio streaming platform Audius has learned the hard way that hackers can steal community funds, despite being online for two years and having passed their security audits long ago. While users and AUDIO token holders are unaffected, this attack reminds the industry that even a well-audited project that has been live for years can still possess a sneaky vulnerability that’s waiting to be discovered and exploited by a clever hacker.
Audius is a Web3 internet and blockchain music streaming platform with social media elements. It uses blockchain as part of its design to secure users’ ownership rights over their content, and is one of the largest non-financial blockchain applications in the industry. Many parts of Audius are built on the Solana blockchain, and due to Solana’s sub-penny transaction fees, Audius artists can tokenize their work for free by minting their content as NFTs. While Audius is still in development and will be for years, artists will eventually be able to set streaming fees for their work, and the platform promises to provide better income than Web2 competitors like Spotify and Soundcloud. When this feature is rolled out, creators will be paid in AUDIO, a cryptocurrency built on the Ethereum blockchain that is currently used for governance by the community DAO. The DAO votes on withdrawals from the treasury and upgrades to the functionality of the platform, a feature the hacker took advantage of.
According to Music Business Worldwide, on July 24, an attacker exploited a vulnerability in Audius’ community governance smart contract (a blockchain program), which allowed them to “delegate” 10 trillion AUDIO tokens without actually possessing them, and then use the delegated tokens to force through a proposal to empty the community treasury into the attacker’s wallet. The 18.6 million AUDIO tokens that were stolen from the treasury had a market capitalization of $6 million, which the attacker was able to immediately swap for $1 million in ETH (Ethereum’s native cryptocurrency, ether) on Uniswap, and is currently in the process of laundering through the Tornado Cash mixer. The vulnerability has since been addressed by the developer team, and fortunately did not impact the community funds.
Security Audits Are Not Bulletproof
This incident demonstrates how even a well-tested and security-audited smart contract can still contain hidden vulnerabilities that weren’t noticed during the security audits. Audius’ smart contracts have been live for two years without any problems, which provided a false sense of security. This reminds everyone that time spent “in the wild” does not guarantee the code is flawless, and that security audits should be performed periodically in smart contracts, even on old code.
The exact nature of the hack occurred due to the obscure ways that upgradeable smart contracts store and interact with their data, which is a well-known drawback of using them. These sophisticated designs can be combined with DAO governance, providing the community the ability to vote on new functionality, and thus giving them direct influence over the project’s evolution. This is how the Audius platform works. However, this feature is what the hacker used to ram their own proposal through. Once they discovered the data storage bug that allowed them to delegate 10,000 times the circulating AUDIO tokens to the governance contract, they were able to pass any proposal they wanted, in this case, the withdrawal of the entire community treasury.
Fortunately, this hack did not affect Audius users or AUDIO token holders/stakers, as it was only the community treasury that was affected, and AUDIO’s price only took a 9 percent hit (likely from the hacker’s Uniswap trade). The Audius team has since issued a patch for the vulnerability, and developers everywhere have taken note of how the hacker pulled off this heist. Every new hack that happens in the blockchain industry is a learning experience for blockchain developers everywhere, and luckily this one wasn’t that bad. Despite the attack, Audius still stands to be a powerful force in the coming Web3 generation of the internet.
Source: Music Business Worldwide
Guardians of the Galaxy Vol. 3 Repeats Star-Lord Worst MCU Crime
About The Author