Proposals in the cryptocurrency arena help communities make decisions based on consensus. However, in the case of the decentralized music platform Auduis, the approval of a malicious government proposal resulted in the transfer of $6.1 million worth of tokens, with the hacker pocketing $1 million.
On July 24, a malicious proposal (Proposition #85) requesting the transfer of 18 million internal AUDIO tokens from Audius was approved by community vote. First noted on Crypto Twitter by @spreekaway, the attacker created the malicious proposal in which he was “able to call initialize() and establish himself as the sole guardian of the governance contract.”
Hello everyone – our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.
If you’d like to help our response team, please reach out.
—Audius (@AudiusProject) July 24, 2022
Hello everyone – our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.
If you want to help our response team, please contact us.
Speaking to Cointelegraph, Audius co-founder and CEO Roneil Rumburg clarified that the community did not approve of a malicious proposal:
This was an exploit, not a proposal proposed or passed through any legitimate means, the government system was simply used as the entry point for the attack.
Auduis’ subsequent investigation confirmed the unauthorized transfer of AUDIO tokens from the company’s treasury. Following the disclosure, Auduis proactively halted all Audius smart contracts and AUDIO tokens on the Ethereum blockchain to prevent further losses. The company, however, resumed token transfers soon after, adding that “The remaining functionality of the smart contracts is being unlocked after a thorough examination/mitigation of the vulnerability.”
Blockchain researcher Peckshield narrowed the flaw down to Audius storage layout inconsistencies.
The issue of @AudiusProject lies in inconsistent storage layout between its proxy and impl. In particular, the collision of the Audius Community Treasury contract results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a role here. pic.twitter.com/x4CqRncahp
— PeckShield Inc. (@peckshield) July 24, 2022
@AudiusProject’s problem lies in the storage layout inconsistency between your proxy and your impl. In particular, the Audius Community Treasury contract collision results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a role here.
While the hacker’s government proposal drained 18 million tokens worth nearly $6 million from the treasury, it was soon flipped and sold for $1.08 million. While the dumping resulted in maximum slippage, investors recommended an immediate buyback to prevent existing investors from dumping and further lowering the minimum price of the token.
Investors are still unclear on the stolen funds, as one investor asked, “You’ve hacked into the community fund, right? The team fund is separate, correct?”
Rumburg confirmed to Cointelegraph that the root cause of the exploit has been mitigated and cannot be exploited again. Since the community treasury is kept separate from the foundation treasury, any remaining funds remain safe from any exploits.
Bored Ape Yacht Club (BAYC) creator Yuga Labs has issued its second warning about an expected “coordinated attack” on its social media accounts.
Our security team has been tracking a persistent threat group that targets the NFT community. We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts. Please be vigilant and stay safe.
— Yuga Labs (@yugalabs) July 18, 2022
Our security team has been tracking a group of persistent threats targeting the NFT community. We believe they could soon launch a coordinated attack targeting multiple communities via compromised social media accounts. Please be vigilant and stay safe.
In June, Gordon Goner, the pseudonymous co-founder of Yuga Labs, issued the first warning of a possible incoming attack on his Twitter social media accounts. Shortly after the warning, Twitter officials actively monitored the accounts and tightened their security.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.