Thief Steals $6M Tokens From Audius, Sells Them for $1M
Protocol's Governance Contract, Vulnerable for 2 Years, Exploited in Attack
A hacker exploited decentralized music platform Audius' community governance procedure by stealing 18 million native tokens through a malicious proposal that exploited a flaw in the blockchain's smart contract systems.
See Also: Ransomware: Defense in Depth with VMware
Audius aims to build a decentralized community-owned protocol in a bid to take on centralized music streaming platforms. Crunchbase data shows it raised a $13.6 million funding since 2018, including from Pantera Capital and Kleiner Perkins.
An attacker on Saturday exploited a bug on a smart contract that had gone undetected since 2020, the company said on Sunday. The hacker stole nearly 18.6 million $AUDIO tokens, selling the stolen assets for $1.08 million, blockchain security company PeckShield tells Information Security Media Group. The company assisted Audius with its investigation. The value of the stolen tokens at the time of writing was $5.9 million.
Audius was designed to allow $AUDIO token holders to enact changes through on-chain proposals. By exploiting the bug on the governance contract, the attacker became the sole guardian of the governance contract, thereby gaining full control of approving on-chain proposals.
The vulnerability also affected Audius' staking and delegation smart contracts. Transactions on these contracts have been frozen until a patch can be administered, the company says.
"Work is continuing to examine the storage modifications made by the attacker and to ensure safe resumption of the remaining Audius smart contract systems," the company says.
It also says it is evaluating options to remediate the loss of funds.
Remediation
The company used the same vulnerability the attacker exploited to regain control of the governance system and block further exploitation. It proposed an on-chain change to take control of the governance contract and deployed the necessary patches.
"After deploying the set of contracts that gave the response team control over the system as well as halted writes, the team was able to, one by one, redeploy and initialize the proxy contracts for each of the impacted components," it says.
It has delayed patching the bug on the staking and delegation smart contracts to "allow for external review." Those proxies are frozen for now so they are not at risk of further exploitation, the company says.
The vulnerability was overlooked during smart contracts security audits by OpenZeppelin in August 2020 and Kudelski in October 2021.
Audius says, "Audits are not bulletproof."
In a statement made in the days following the attack. Kuldeski Security says Audius has acknowledged that the code containing the vulnerability was beyond the scope of Kuldeski's review.* The blockchain security services provider is working with the Audius team to understand the additional needs in the end-to-end system to build in necessary security enhancements, a company spokesperson tells ISMG.
"As a follow-up, Kudelski Security will include review of governance and voting processes in our threat models moving forward. This will help better prepare clients for any future potential exploitation of their methods of protocol governance," the spokesperson says.
The vulnerable contracts were deployed in October 2020. "The Audius project team has not worked actively on Solidity/EVM-based code in nearly two years. It took folks time to get back up to speed on all things here," the company says. It looks to keep abreast of the current development and debugging tooling to remedy this.
PeckShield adds that it is key to constantly monitor the dynamics of deployed protocols and prepare contingency measures for risk control/mitigation.
Audius says it will also set up better automated tooling systems to detect suspicious on-chain activity.
*Update July 27, 2022 18:29 UTC: Updated to include response from Kuldeski Security.
