In a post-mortem issued by Web3 music streaming platform Audius, the San Francisco-based startup described new implications and losses discovered following a smart contract hack to the platform’s community treasury and ‘main-net’ eth contracts on July 23.
A vulnerability in Audius’ Ethereum $AUDIUS token was exploited, and a hacker was able to change the platform’s voting structure in mere minutes—transferring around 10 trillion tokens to its wallets by manipulating Audius’s Ethereum-based governance, staking, and delegation contracts.
Smart contracts are coding that shape the rules of a decentralized platform, such as Audius, and allow it to operate seamlessly without a centralized liaison. While the exploited bug in the platform’s governance smart contract allowed the hacker to funnel the entirety of the community treasury to their wallet, Audius reported that the attack “did not affect the supply of AUDIO tokens.”
Twenty-five minutes after the unauthorized token transfer began, the team says they were notified and immediately sought support from a white hat web3 hacker to circumvent the attack. Realizing the exploit was still active, Audius quickly issued fixes utilizing the same vulnerability that the attacker targeted.
“The issue has been found and fixes are in progress to get things back to a stable state,” Audius tweeted at the time of the attack. “To prevent further damage, all Audius smart contracts on Ethereum had to be halted, including the token. We do not believe any further funds are at risk.”
Audius suffered a $6 million loss in $AUDIO tokens in the hack, according to the post-mortem. The stolen tokens were traded for 705 wrapped ETH (wETH), approximately worth $1 million.
After exchanging the stolen Audius tokens on Uniswap, all wETH was funneled through Tornado Cash—a crypto mixing service notoriously associated with fund laundering to conceal a token’s origins.
The attack ultimately depletes the $5 million funding round the platform generated only 11 months ago by artists and investors, which included Katy Perry, The Chainsmokers, Nas, Jason Derulo, Pusha T, Mark Gillespie, and former Sony Music CEO, Martin Bandier.
“Work is in progress in collaboration with the community on possible remediations for the loss of funds, and we are fortunate that many options are still available,” the Audius team explained in the post-mortem blog post. “These will be discussed over coming weeks in the Audius governance forum, discord, and other venues before being proposed to the Audius governance process.”
