Hackers Breach Audius, Steal $6 Million Worth of Tokens

Hooded hacker working on multiple screens

Blockchain-based music streaming platform Audius confirmed it was the victim of a cyberattack where hackers stole $6 million worth of AUDIO tokens. The malicious actors exploited a vulnerability in the platform’s smart contract on Saturday, July 23. Consequently, they sold the stolen tokens on Uniswap for $1.08 million.

Soon after the hackers stole the tokens, the platform froze all its smart contracts and the AUDIO token.

In a post mortem report, Audius said that the smart contract was audited twice, in 2020 and 2021 — though neither audit picked up on the vulnerability. The platform added that it managed to mitigate the attack within a few hours of discovery. Audius is still looking into the incident to check for any other modifications.

Hackers Exploited bug in Audius Governance Contract

Audius is a decentralized music platform where artists can share their music and earn native AUDIO tokens. Users can also earn tokens by participating and curating content.

The malicious actors exploited a previously unknown bug in Audius’ governance contracts. This allowed them to unilaterally pass proposals that would otherwise require voting. The most significant proposal was to transfer 18 million $AUDIO ($6 million) from Audius’ community pool to the hackers’ wallet. The attackers also managed to change the platform’s governance dynamics.

In its report, Audius said the attack did not result in the minting of new tokens and did not affect the current token circulation. Furthermore, user funds are secure at this time.

“Audits are not bulletproof, and time spent in the market (and the resulting Lindy effect) can help build confidence but does not rule out opportunities for exploitation,” Audius stated.

“These contracts were deployed in October 2020 and this vulnerability has been live in the wild since that time,” it added.

Audius Says Most Funds Unaffected by Breach

The platform said the “vast majority” of $AUDIO belonging to the Audius foundation, team, community, and others associated with the ecosystem was not impacted by the incident. Audius said it will spend the coming weeks working on ways to repair and improve in light of the incident.

“Work is in progress in collaboration with the community on possible remediations for the loss of funds, and we are fortunate that many options are still available,” Team Audius said.

Audius added that it would take necessary steps to improve its incident response time. It plans on implementing upgraded automated tools to detect any suspicious activity. Furthermore, it noted the importance of having an on-call incident team ready to review and take necessary actions.

Audius Latest in Spate of Crypto Cyber Attacks

Audius is the latest on a list of major cyber attacks affecting cryptocurrency platforms. In late 2021, Poly Network suffered a hack where malicious actors stole $600 million worth of cryptocurrencies from the Defi provider. The attacker subsequently returned the funds to the platform, stating that he only wanted to point out their security flaws.

Earlier this year, the Ronin Network, publishers of the popular Play2Earn game, Axie Infinity, was also targeted. The responsible actors made off with $620 million worth of cryptocurrencies. Unfortunately for Ronin, their attacker did not share the Poly Network hackers’ noble sentiments.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.