Independent Music Platform Audius claims to have patched the source of the $6 million exploit.
The decentralized music platform Audius says it has discovered the flaw that allowed a hacker to approve a false governance proposal and transfer tokens worth USD 6 million, and that a fix has been implemented to retake control of the protocol.
A vulnerability in the protocol's governance, staking, and delegation contracts on Ethereum (ETH) allowed a hacker to take advantage of the contract initialization code on July 23 and maliciously transfer AUDIO 18m (USD 6.075m) held by the community treasury, according to a post-mortem from the protocol.
Audius said that the corrupted set of contracts had been examined by two security companies: Kudelski on October 27, 2021, and blockchain security firm OpenZeppelin on August 25, 2020, before being deployed.
In order to immediately reclaim control of the protocol before the attacker could cause more harm, the Audius team was able to create and apply a patch, the team said.
The issue has been found and fixes are in progress to get things back to a stable state.
— Audius 🎧 (@AudiusProject) July 24, 2022
To prevent further damage, all Audius smart contracts on Ethereum had to be halted, including the token.
We do not believe any further funds are at risk.
More updates / post-mortem soon. https://t.co/i3MM9WjjgE
The tokens were worth USD 6.1 million at the time of the attack. However, Etherescan transactions show that the attacker was able to flee with ETH 704.9 (worth USD 1.073 million) after dumping the tokens that caused maximum slippage.
The team also stated that the "vast majority" of Audius foundation, team, community, and other funds were unaffected by the incident. "Work is underway in collaboration with the community on potential remedies for the loss of funds, and we are fortunate that many options remain available," they said.
Meanwhile, as of 7:28 a.m. UTC on Monday, Audius' native token AUDIO is trading at around USD 0.33, down 2% in a day and more than 4% in a week.
Notably, Audius is not the only decentralized finance (DeFi) project to have been hacked in the last few days.
Neopets, a virtual pet-owning game, also confirmed late last week that it had suffered a data breach, that email accounts and passwords "may have been affected," and that users should change their passwords.
"Neopets recently discovered that customer data had possibly been stolen. We immediately launched an investigation with the assistance of a top forensics firm. We are also working with law enforcement to improve the security of our systems and user data "On Thursday, the company stated in a Twitter thread.