Blockchain music platform Audius hacked with malicious proposal attack, 705 ETH transferred to mixer protocol

The popular blockchain music platform Audius announced at 8 am on the 24th that unauthorized transfers of the AUDIO tokens from the community treasury were detected, and an official investigation is underway. Approximately two hours later, the issue was reported as resolved, and the platform is in the process of restoring stability. To prevent further harm, all related Ethereum smart contracts, including token contracts, will be temporarily paused. At the time of writing, the AUDIO token has resumed operations, and the remaining smart contract functionalities will be reactivated after thorough inspection. A post-incident report will be released tomorrow.

Security Company Analyzes the Incident: Governance Proposal Attack

The security company Certik stated that Audius suffered a loss of six million US dollars' worth of AUDIO tokens, which were converted to 705 ETH. The attacker changed the parameters of Audius' governance contract and executed a malicious proposal, resulting in 18.5 million AUDIO tokens being transferred out.

The hacker called the initialize function in the governance contract to change parameters such as voting period, execution delay, and guardian address; then the attacker submitted malicious proposal ID 85. The attacker voted for the malicious proposal and executed its content, obtaining the AUDIO tokens and profiting from it. As of press time, the hacker has transferred all the ETH to the privacy protocol Tornado Cash.

The AUDIO token dropped from 0.36 to 0.31 at 7:00 on the 24th and is currently back to 0.34.

Additional information: Audius Governance Explanation, Audius Governance Forum is currently closed