Another Weekend Exploit - This time $1.08 Million Drained from Audius

Another Weekend Exploit - This time $1.08 Million Drained from Audius

By kev_nag | kev_nag | 25 Jul 2022


On Sunday, July 24, 2022, “a malicious proposal, Proposal #85, requesting the transfer of 18 million Audius’ in-house AUDIO tokens was approved by community voting. First pointed out on Crypto Twitter by spreekaway, the attacker created the malicious proposal wherein they were 'able to call initialize() and set himself as the sole guardian of the governance contract” [Sarkar, A. Hacker drains $1.08M from Audius following passing of malicious proposal. (Accessed July 24, 2022)].

20220724 2.png
20220724 2.png
Photo Source

‘The issue of Audius Project lies in inconsistent storage layout between its proxy and impl. In particular, the collision of Audius Community Treasury contract results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x…abac) plays a role here’, PeckShield tweeted.

[Selena. The Passing Of A Malicious Governance Proposal Of Audius Resulted In Hackers Making Away With $1 Million. (Accessed July 24, 2022)].

Roneil Rumburg, co-founder and CEO of Audius, spoke with representatives of Cointelegraph and clarified that in fact it was not the Audius Community that passed a malicious proposal. Rather, he stated:

This was an exploit — not a proposal proposed or passed through any legitimate means — it just happened to use the governance system as the entry point for the attack.

[Sarkar, supra].

"Further investigation from Auduis confirmed the unauthorized transfer of AUDIO tokens from the company’s treasury. Following the revelation, Auduis proactively halted all Audius smart contracts and AUDIO tokens on the Ethereum blockchain to avoid further losses. The company, however, resumed token transfers shortly after, adding that the 'Remaining smart contract functionality is being unpaused after thorough examination/mitigation of the vulnerability.” [Id].

The illegitimate proposal appeared as follows:

Photo Source

“While the hacker’s governance proposal drained 18 million tokens worth nearly $6 million from the treasury, it was soon dumped and sold for $1.08 million. While the dumping resulted in maximum slippage, investors recommended an immediate buyback to prevent existing investors from further dumping and lowering the token’s price” [Selena, supra].

20220724 5.png
Photo Source

“Rumburg confirmed with Cointelegraph that the root cause of the exploit has been mitigated and cannot be re-exploited. Given that the community treasury is kept separate from the foundation treasury, the remaining funds remain safe from any exploit” [Sarkar, supra].

How do you rate this article?

38


kev_nag
kev_nag

Just an ordinary casual crypto investor.


kev_nag
kev_nag

Retired, finally. I enjoy learning about crypto and sharing my discoveries. Also, I follow the News closely and enjoy discussing current events. I have no political agenda, but advance views based in reality with a slant toward real world consequences.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.