stub Audius Passes a Malicious Proposal, Allowing a Hacker to Steal $1.08 Million - Securities.io
Connect with us

Audius News

Audius Passes a Malicious Proposal, Allowing a Hacker to Steal $1.08 Million

mm

Published

 on

Securities.io is committed to rigorous editorial standards. We may receive compensation when you click on links to products we review. Please view our affiliate disclosure. Trading involves risk which may result in the loss of capital.

Many of the crypto industry’s projects are not as decentralized as they claim to be, but when it comes to those that are — their communities are in charge of making all the decisions. This governance process is fairly simple — someone makes a proposal for a change, the community votes yes or no to the proposal, and if the majority agrees to implement the changes, the developers make it happen.

However, while malicious proposals are rare, as it is difficult to deceive enough voters to have them go through with a bad decision, it can still happen, and Audius is proof of this. The platform recently passed a malicious proposal, known as Proposal #85, which requested the transfer of 18 million AUDIO tokens. The community voting approved of it, which allowed the hacker to react and steal $1 million in AUDIO tokens.

What happened?

The attack was first noted by spreekaway on Twitter, noting that the proposal that the Audius community passed was malicious. The user also noted that the hacker managed to call initialize() and set himself as the sole guardian of the government contract.

Audius’ team quickly reacted, announcing that it was aware of the report of the unauthorized transfer of the project’s tokens from the community treasury. They noted that they are in the process of investigating the matter and will report back as soon as more information is known.

About an hour and a half later, the project announced that the issue has been found and that the fix is being developed. It added that things should be back to a stable state shortly. However, in order to prevent further damage, all Audius-related smart contracts on Ethereum had to be halted. The team added that they do not believe any additional funds are a risk and that they will keep publishing new updates as they learn more about what happened.

There was no malicious proposal, claims Audius CEO

Audius co-fonder and CEO Roneil Rumburg then came out with the claim that the community did not pass a malicious proposal, contrary to all previous claims. Instead, he claimed that this was an exploit that simply used the governance system as the entry point.

Following the implementation of the fix, the project resumed token transfers, adding that a careful examination of the vulnerability revealed that it is safe to do so. Unfortunately, the token still saw a significant price rash, which took it from $0.36 to $0.32, which is where it sits right now.

Blockchain investigator Peckshield also got involved, and it managed to narrow down the issue to the project’s storage layout inconsistencies. The issue lies in inconsistent storage layout between the project’s proxy and impl, according to the report.

In the end, the hacker’s governance proposal managed to drain 18 million tokens worth approximately $6 million. However, it was all dumped and sold for 1.08 million in total. The dumping resulted in maximum slippage, and investors recommended an emergency buyback to prevent investors from dumping the tokens themselves, which would make the project’s token crash even deeper than it already has.

To learn more visit our Investing in Audius guide.

Ali is a freelance writer covering the cryptocurrency markets and the blockchain industry. He has 8 years of experience writing about cryptocurrencies, technology, and trading. His work can be found in various high-profile investment sites including CCN, Capital.com, Bitcoinist, and NewsBTC.