Audius, web3’s answer to Spotify, has fallen victim to a governance attack, losing $6M of its native token, AUDIO.
The attacker passed a malicious proposal transferring the funds directly from the treasury before dumping them onto the market for just ~$1M.
AUDIO is used for user rewards and artist tips, as well as for governance purposes on the music-streaming service.
Pause, rewind, play…
According to the official post mortem, the attacker was able to reinitialise governance contracts, delegating a large number of governance tokens to themself and bypassing safeguards meant to limit malicious proposals.
Then, with their vastly increased voting power, they could pass a proposal to transfer 18M AUDIO tokens out of the treasury and straight to their own address.
However, this creates a collision with OpenZeppelin's Initializable contract, leading to a bug which allowed the attacker to take control of the governance contract and change parameters on any of Audius’ Governance, Staking & DelegateManagerV2 contracts.
For further details, see OpenZeppelin docs on storage collisions.
The post mortem summarises the actions of the attacker as follows:
With this, the attacker was able to (1) Re-define voting on the Audius protocol and modify the governance contract’s guardian address (2) Set the governance address of both the Staking & DelegateManagerV2 contracts to that of a custom deployment of the Audius governance contract 0xbdbb5945f252bc3466a319cdcc3ee8056bf2e569) and abuse the Audius protocol by
Mark an erroneous delegation of 10,000,000,000,000 $AUDIO to themselves in an attempt to pass a governance vote. (No circulating supply impact / confined to storage of Staking & Delegation contracts)
Mark a second erroneous delegation of 10,000,000,000,000 $AUDIO to themselves in an attempt to pass a governance vote, which did pass and transferred the funds. (No circulating supply impact / confined to storage of Staking & Delegation contracts)
Transferring 18,564,497 $AUDIO tokens from the community treasury: https://etherscan.io/tx/0x4227bca8ed4b8915c7eec0e14ad3748a88c4371d4176e716e8007249b9980dc9
Attacker’s address: 0xa0c7BD318D69424603CBf91e9969870F21B8ab4c
The attacker then went on to dump the AUDIO in a single transaction via Uniswap v2, incurring major slippage and making off with just 704 ETH (~$1M).
The funds were then deposited into Tornado Cash around 10 hours later.
A quick response time from the team (plus help), and the loss coming from the treasury, rather than users pockets, likely minimised the fallout.
However, this doesn’t look to have knocked Audius off the DeFi playlist for good.
Let’s just hope their debut is a one-hit wonder.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Wintermute have lost over $160M to their second incident this summer. Using a vanity address for "gas savings" has cost them dearly. Last time, funds were returned, will Wintermute get lucky again?
The billion that wasn't. Tornado sanctions didn’t deter these Polkadot thieves, who tried to steal ~$1.3B in aUSD from Acala Network.
Curve fell victim to a DNS hijacking yesterday, with approximately $575k lost to malicious contract approvals. For users, DeFi protocols are only as secure as their centrally-hosted front end. How much longer will web3 rely on web2?