Audius Music Streaming Platform Hacked
Within the last week, hackers targeted and successfully breached decentralized music platform Audius, making off with over 18 million AUDIO tokens, which are currently valued at about US$6 million.
In response, the platform immediately froze several services while engineers released solutions to stop future token theft. Being a decentralized streaming service, it ran on the Ethereum blockchain, allowing users to earn tokens by curating and listening to content. Musicians could earn AUDIO tokens by sharing their music. Up until now, Audius seemed to be the perfect candidate for such a hack, without even knowing it.
The hackers are theorized to have exploited a bug in Audius’ contract initialization code. This allowed them to carry out multiple invocations of the initialization methods, according to a report released by Audius.
18.5 Million Stolen AUDIO Tokens
The whole Audius community pool was transferred to the attacker’s wallet. The hacker did this in four governance proposal execution attempts, three of which were unsuccessful and one of which was successful. By altering the governance dynamics, the hacker was able to move 18.5 million AUDIO tokens with just one approval.
To cover their trail, the hackers moved their tokens through the Tornado Cash mixing service while simultaneously trading them on Uniswap for just $1.07 million, losing 5/6 of their value.
Since the report, no new tokens were created. Audius claims that the incident had no impact on how many tokens were in circulation. All users’ money that was still available is now secure.
By the end of the day, Audius was back in business. However the “Delegate Manager” and “Staking” smart contract systems are still closed, as the changes are still being assessed.
However, the strangeness of the hack culminates in two comprehensive security audits of Audius’ contract system. Both were performed in August 2020 and October 2021 respectively, by different auditors. Yet neither of them found the vulnerability that the hackers exploited so easily.
Audius Bulletproof Security
To address this, Audius highlighted that audits are never ‘bulletproof’. Time spent on the market, as well as the inevitable “Lindy Effect”, builds confidence, it can’t rule out the potential for exploitation.
However, while accidents do happen, this should serve as a lesson for Audius and other blockchain-centered projects. They need to step their game up to ensure their security can withstand the probing hands of hackers looking to take advantage of them. Required audits are simply not enough.
In this instance, Audius was fortunate enough that most of its team were active at the time of the hack, allowing them to stave off and prevent further theft.
Nevertheless, the hackers took a sizable amount of tokens from the project, even if it is nowhere near proportionate to the attacks on Axie Infinity’s Ronin bridge and Poly Network, where hackers stole over $600 million worth of tokens from both projects.