Thanks to the bug in the contract initialization code, the hacker succeeded in stealing 18 billion $AUDIO tokens, which at the time of the theft amounted to more than $6 million.
Audius is a decentralized web3 streaming platform for musicians. Any musician, not even associated with labels, can publish their work on this platform. High sound quality, the amount of downloadable content is unlimited, the use of the platform is free, besides, musicians can publish exclusive content for their fans. What distinguishes Audius from other platforms is the use of blockchain. Also, Audius is a non-commercial open source project.
“The mission of the project is to give everyone the freedom to share, monetize, and listen to any audio”.
The site has been actively growing and attracting funding. Popular artists are already involved in the development of the project. The launch of Audius was accompanied by a livestream with the participation of Deadmau5, a popular creator of electronic music. Albums by such big artists as Skrillex, Disclosure, Steve Aoki, RAC and others are now available on Audius.
But, no matter how good everything is, sometimes sheesh happens. So, an unpleasant event happened to Audius. On July 23, due to a bug, a hacker was able to steal 18 billion $AUDIO tokens directly from the Audius governance contract, which is also called the “community treasury”.
How did this happen? If you delve into the question, the attacker did not steal the funds, but was able to move the tokens to his wallet, and then “modify dynamics of the voting system to illegally change their staked $AUDIO amounts in the network”. As Audius wrote in the report on this attack, the contracts that the fraudster hacked were previously checked by OpenZeppelin and Kudeski (security providers), but the vulnerability used by the hacker was not detected then.
The vulnerability was in the Audius governance contracts and AudiusAdminUpgradabilityProxy contract. You can learn the technical aspects of the vulnerability from the Audius report about this attack.
After a hacker stole $AUDIO tokens from the Audius Community Treasury, the tokens were swapped for 705 ETH (about $1M) on the Uniswap platform. Due to the fact that the hacker heavily dumped (set the swap price six times lower than the market price), the tokens were quickly and successfully swapped, and now, according to Reddit user Suren Rongyao post, they are on a wallet with the address: 0xa0c7BD318D69424603CBf91e9969870F21B8ab4c.
Against the background of the attack, the price of the $AUDIO token, according to Coinmarketcap, decreased by 19% (from $0.3768 to $0.3045) in the period from July 23 to July 26. But, now the $AUDIO token has recovered from the fall and its price has levelled off.