Decentralized music streaming protocol Audius has become the latest DeFi platform to suffer a loss to hackers.
On Sunday, July 24, Audius reported that an attacker had drained funds from its community treasury.
According to Audius, the breach occurred after a malicious governance vote was used to move treasury assets. The Audius team posted:
“Hello, everyone – our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more. If you’d like to help our response team, please reach out.”
Security firm CertiK explained that the attacker exploited the governance contract by calling an initialize function to reconfigure important parameters in the smart contract that manages Audius’s streaming system.
By re-initializing those settings, the attacker changed values such as the voting period, execution delay, and guardian address, which allowed them to gain control of governance actions.
(1/2) The attacker called the “initialize” function in the Audius governance contract to modify configurations (through re-initialization) such as “voting period”, “execution delay”, “guardian address”.
Then the attacker submitted the malicious proposal(ID 85).
— CertiK Alert (@CertiKAlert) July 24, 2022
Following the reconfiguration, the attacker created and executed a malicious governance proposal (Proposal #85) that authorized transferring 18 million AUDIO tokens from the community treasury.
On-chain timestamps show the activity occurred around 7 p.m. ET on Saturday. Although the stolen 18 million AUDIO tokens had an approximate nominal value near $6 million, market slippage limited the attacker’s ability to convert the tokens. The attacker managed to cash out the equivalent of 705 ETH, roughly $1.1 million.
The remaining tokens remain in the attacker’s address. Audius said its team has identified the vulnerable contract behavior and implemented a fix. The protocol also paused the affected contract while it completes a full investigation and prepares a post-mortem report for the community.
Audius is a leading decentralized music streaming protocol that enables artists to monetize their work through its governance and utility token, AUDIO. The token is issued on both Ethereum and Solana networks.