Decentralized music streaming platform Audius was exploited on July 23 when an attacker exploited a vulnerability in its governance smart contract code. According to Audius’ analysis of the hack, the attacker stole over 18.5 million AUDIO tokens, the platform’s native cryptocurrency, worth around $6.05 million at the time.
The hacker identified a flaw in the contract initialization code that helped the perpetrator manipulate Audius’ governance, staking, and delegation contracts, according to Audius’ post-mortem of the attack. A smart contract is a code that allows decentralized platforms to carry out functions without the need for a centralized entity.
Through the exploit, the attacker re-defined voting on the Audius protocol and attempted to delegate 10 trillion AUDIO tokens twice to their wallet to pass governance proposals. The first attempt of the attacker failed but the second malicious proposal was passed, according to the report.
This enabled the attacker to steal 18,564,497 AUDIO tokens from the community treasury and transfer them to an Ethereum wallet.
The attacker then swapped the stolen tokens for 704.17 Ether (ETH) valued at over $1.09 million at the time on decentralized exchange Uniswap, according to blockchain data of the attacker’s wallet.
The Audius team was first alerted to the exploit over half an hour after the attacker’s first attempt to delegate 10 trillion AUDIO tokens. The team found the bug in less than an hour and deployed an initial fix. The platform is in the process of upgrading all its contracts and some functionalities remain disabled.
The exploited contracts were audited twice in a span of two years by the OpenZeppelin team, but the bug was not caught, the Audius report said.