Decentralized music streaming protocol, Audius revealed the governance attack executed on its platform through the malicious proposal, allowing the hacker to drain away a $1.08 million fund.
According to a source, the Audius community passed proposal #85 with malware that transferred 18 million AUDIO tokens into the attacker’s account.
The total worth of these tokens is more than $6 million. However, the attacker could only sell these tokens for 705 ETH, through which he gained $1.08 million just after dumping 18 million AUDIO tokens. This move resulted in a high amount of slippage.
Also Read: Yam Finance Thwarts Malicious Governance Attack on Reserves
The perpetrator prepared the malicious proposal in a way that they were “able to call initialize() and set himself as the sole guardian of the governance contract.”
However, Audius co-founder Roneil Rumburg gave his thoughts on these attacks and stated he considers this attack as an exploit. He said, “This was an exploit — not a proposal proposed or passed through any legitimate means — it just happened to use the governance system as the entry point for the attack.”
The post-mortem report released from Audius’s investigation revealed that AUDIO tokens were moved from the community treasury. Furthermore, the protocol has suspended its operation along with all AUDIO smart contracts and AUDIO Tokens to avoid further losses.
However, the protocol has restored token transfer after a pause and added that the “Remaining smart contract functionality is being unpaused after thorough examination/mitigation of the vulnerability.”
Blockchain investigator Peckshield highlighted the issue of Audius’ storage layout inconsistencies.
