An exploit was used to approve a malicious governance proposal (Proposal #85), which requested the transfer of 18,000,000 Audius’ in-house Audio tokens valued at $6.1 million.
Cryptocurrency proposals help communities reach consensus-based decisions. For decentralized music platform Auduis however, the passing a malicious governance proposal led to the transfer of tokens in crypto worth $6.1million, with the hacker taking $1 million.
A malicious proposal, Proposal #85 asking for the transfer of 18 millions Audius’ in-house tokens AUDIO, was approved by the community. First reported by Spreekaway on Crypto Twitter, the attacker made the malicious proposition that allowed them to “call initialize()” and make themselves the sole guardian for the governance contract.
Roneil Rumburg, co-founder of Audius and CEO of Cointelegraph, clarified to Cointelegraph that there was no malicious proposal.
“This was an exploit, not a proposal or passed through any legal means. It just happened to use governance system as the entry point.”
Auduis further investigated and confirmed that AUDIO tokens had been unauthorizedly transferred from the company’s treasury. Auduis took proactive measures to stop any further loss by halting all AUDIO tokens and smart contracts of Audius. The company, however, resumed token transfers shortly after, adding that the “Remaining smart contract functionality is being unpaused after thorough examination/mitigation of the vulnerability.”
Peckshield, a blockchain investigator, narrowed the blame to Audius’ inconsistent storage layout.
The hacker’s governance plan drained 18 million tokens, worth almost $6 million, from the treasury. It was quickly dumped and sold at $1.08million. Although the dumping caused maximum slippage investors suggested an immediate buyback to stop existing investors from dumping the token and further lowering its floor price.
The stolen funds are still not fully understood by investors. One investor said, “They hacked our community fund right?” Is the team’s fund separate?
Rumburg confirmed to Cointelegraph that the root causes of the exploit have been addressed and cannot be re-exploited. The community treasury and the foundation treasury are kept separate, so the funds remaining can be protected from any exploit.
Bored Ape Yacht Club nonfungible token creator Yuga Labs has issued its second warning regarding an “unprecedented coordinated attack” on its social media accounts.
In June, Gordon Goner (a pseudonymous cofounder of Yuga Labs ) issued the first warning about an incoming attack on its Twitter accounts. Twitter officials began monitoring the accounts immediately and strengthened their security.