Attackers stole $6 million from Audius by exploiting a bug in the contract

The decentralized music streaming platform Audius was exploited on July 23, when an attacker exploited a vulnerability in governance smart contract code.According to Auditius analysis During the hack, the attacker stole more than 18.5 million AUDIO tokens, the platform’s native cryptocurrency, and was worth about $ 6.05 million at that time.

Hackers have identified flaws in contract initialization code that help practitioners manipulate Audius governance, staking, and delegation contracts, according to a post-mortem analysis of Audius attacks. Smart contracts are code that enables distributed platforms to perform functions without the need for centralized entities.

Through this exploit, the attacker redefined voting in the Audius protocol and delegated 10 trillion AUDIO tokens to the wallet twice in an attempt to pass the governance proposal. According to the report, the attacker’s first attempt failed, but the second malicious proposal was passed.

This allowed the attacker to steal 18,564,497 AUDIO tokens from the community’s finances and transfer them to the Ethereum wallet.

The attackers then exchanged the stolen tokens for 704.17 Ethereum (ETH), which was then worth more than $ 1.09 million, on the decentralized exchange Uniswap. Blockchain data Of the attacker’s wallet.

The Audius team was first warned about the exploit for more than 30 minutes after the attacker first attempted to delegate 10 trillion AUDIO tokens. The team discovered the bug within an hour and deployed the first fix. The platform is upgrading all contracts, but some features remain disabled.

The abused contract was audited twice every two years by the OpenZeppelin team, but no bugs were detected, the Audius report said.