The Audius blockchain-based audio streaming platform has learned the hard way that hackers can steal community funds, despite the fact that they have been online for two years and have long passed security checks. Although users and holders of AUDIO tokens were not affected, this attack reminds the industry that even a well-tested project that has been around for many years may still have a hidden vulnerability waiting to be discovered and exploited by a smart hacker.
Audius is a platform for streaming music on the Internet and the Web3 blockchain with elements of social networks. It uses blockchain as part of its design to protect users’ ownership rights to their content and is one of the largest non-financial blockchain applications in the industry. Many parts of Audius are built on the Solana blockchain, and because transaction fees in Solana are less than a penny, Audius artists can tokenize their work for free by creating their content in the form of NFT. Although Audius is still in development and will be developed for many years, artists will eventually be able to set fees for streaming their work, and the platform promises to provide higher revenue than Web2 competitors such as Spotify and Soundcloud. When this feature is deployed, creators will receive payment in AUDIO, a cryptocurrency built on the Ethereum blockchain that is currently used to manage the DAO community. The DAO votes for withdrawing funds from the treasury and updating the functionality of the platform, which the hacker took advantage of.
According to Music Business Worldwide, on July 24, an attacker exploited a vulnerability in the Audius community management smart contract (blockchain program), which allowed them to “delegate” 10 trillion AUDIO tokens without actually owning them, and then use the delegated tokens. push a proposal to empty the community’s coffers into the attacker’s wallet. The 18.6 million AUDIO tokens that were stolen from the treasury had a market capitalization of $6 million, which the attacker was able to immediately exchange for $1 million in ETH (Ethereum’s own cryptocurrency, ether) on Uniswap, and they are currently in the process of laundering. through the Tornado Cash mixer. Since then, the vulnerability has been fixed by the development team, and fortunately, it has not affected the community’s funds.
Security audits are not bulletproof
This incident demonstrates how even a well-tested and security-tested smart contract can contain hidden vulnerabilities that were not discovered during a security audit. Audius smart contracts have been working for two years without any problems, which created a false sense of security. This reminds everyone that time spent “in the wild” does not guarantee that the code is flawless, and that security audits should be periodically conducted in smart contracts, even for old code.
The exact nature of the hack occurred due to unclear ways of storing updated smart contracts and interacting with them, which is a well-known disadvantage of using them. These complex designs can be combined with the management of the DAO, giving the community the opportunity to vote for new features and thus giving them a direct impact on the development of the project. This is how the Audius platform works. However, it was this function that the hacker used to push his own proposal. As soon as they discovered a data storage error that allowed them to delegate 10,000 times more circulating AUDIO tokens to a management contract, they were able to pass on any offer they wanted, in this case the withdrawal of the entire community treasury.
Fortunately, this hack did not affect Audius users or AUDIO token holders/stake holders, as only the community treasury was affected, and the price of AUDIO fell by only 9 percent (probably due to the hacker’s deal with Uniswap). Since then, the Audius team has released a fix for this vulnerability, and developers everywhere have paid attention to how the hacker pulled off this heist. Every new hack that happens in the blockchain industry is a learning experience for blockchain developers all over the world, and fortunately, this one wasn’t that bad. Despite the attack, Audius is still a powerful force in the coming generation of the Web3 Internet.
