tl;dr Summary: Web3 music streaming app Audius got hacked after the attacker exploited a bug in its governance smart contract allowing the attacker to move 18 million AUDIO tokens to their wallet, the equivalent of around $6M USD.
On July 24th, 2022, Audius, a decentralized music streaming service, became the victim of an attack in which the attacker stole $6 million (18 million tokens) worth of AUDIO tokens.
A “post-mortem” report created by the Audius team soon after noted that the attack was made possible due to an undiscovered bug left in the code despite regular security audits.
Since Audius is a decentralized project, it uses its native token, AUDIUS, stored in its treasury for all governance. According to the report, the attacker was able to use this bug in governance, staking, and delegation of smart contracts to assign himself as the sole guardian. The attacker then attempted to delegate 10 trillion AUDIO tokens to their wallet.
Although this attempt did not impact the tokens already in circulation, it emptied the community token pool of 18.6 million tokens to an external wallet.
The team rushed into action and quickly developed fixes to stop the vulnerability with further updates promised to the community.
The post-mortem report provides an excellent window into how the team scrambled to address the issue and its various learnings. The most important revelation was that the vulnerability existed even though these smart contracts were audited by OpenZepplin in 2020 and then by Kudelski in 2021.
This unfortunate event also provided food for thought to the team as they have now realized deficiencies within. The report mentions that the team had not worked actively on Solidity/EVM-based code for two years which impacted the speed of their response.
The second learning from the incident was that they lacked a proper incident response protocol in case the event happened out of office hours. They identified that tooling and paging must be implemented to identify and alert the team members.
Although valued at $6 million, the stolen tokens were swapped for a little over 704 Wrapped Ethereum (WETH)—roughly $1.07 million—via Uniswap, the leading decentralized exchange.
Following that, the attacker moved almost all of the ETH through Tornado Cash, a mixing service that combines coins from various transactions to make tracing the path of crypto money on a blockchain more difficult.
Started in 2018, Audius is a blockchain-enabled music streaming platform owned and run by a community of artists, fans, and developers. Powered by blockchain technology, musical pieces created and uploaded by artists are immutable and owned by the artists.
In Audius, artists can choose how their content gets monetized. Offering free content and streams, charging a one-time fee to unlock all content, or selling their music as non-fungible tokens (NFTs) are all options.
Artists receive 90% of sales money, with the remaining 10% going to node operators who support the network. The platform does not currently receive a portion of the profits and sustains itself through private funding.
Since Audius is mostly an indie platform, it is a great source to discover new artists and tracks.