How Attackers stole $1.1M in Audius tokens

Using smart contracts, attackers passed a hostile governance proposition.
Audius' AUDIO tokens were taken in a sophisticated hack using the project's governance forums.

Audius uses community voting and governance to make decisions. Attackers used a phony post and token votes to steal cash on Saturday.

"Proposal #84" assigned 10 trillion AUDIO to the staking contract (with no token supply change). No one voted on the proposal, hence it failed.

Attackers then voted on "Proposal #85" to transfer 18 million AUDIO tokens. The attackers "called initialize() and set himself as the sole guardian." "Monday's Audius post-mortem report explained the governance contract.

The initialize() function initializes a smart contract software. The attacker could manage the governance proposal and transfer tokens as it passed.

After Proposal #85 was posted, a transaction assigned 10 trillion AUDIO to the votes, favoring the attacker. The idea passed because the erroneous votes fooled Audius' clever connections. This allowed attackers to move 18 million AUDIO tokens owned by the Audius governance contract, or "community treasury," to their wallet."

The stolen tokens were swapped for more than 700 ethers (ETH), worth $1.08 million at the time of writing, on Tornado Cash, blockchain data of the attacker's wallet shows.

Audius developers reported a problem let an attacker bypass initialize(). "Governance, staking, and delegation contracts on Ethereum mainnet," developers said.

“A fault in the contract initialization code allowed repeated initialize functions,” they said.

OpenZeppelin examined the exploited contracts, but the vulnerability wasn't identified, Audius developers stated. All remaining monies are safe as of Monday.