Audius Hack: Code-Enabled Governance Attack
Audius is a Web3 platform for musicians to share their music and interact with their fans. It allows musical artists to build a following and engage with their fanbase through NFTs and other initiatives. Musicians keep 90% of revenues, making it much more artist-friendly.
It had quite some momentum, with some of the more popular songs having tens of thousands of plays. There was also an active governance community trying to stir the platform in the right direction by making a solid product and strategic decisions.
Until the music stopped late at night on the 23rd of July, and the platform was attacked. The hacker stole $6M worth of $AUDIO tokens.
How did the hack happen?
The attacker was able to use Audius’ own smart contracts to assign himself as the sole guardian. This allowed them to create a governance proposal and pass it without any additional token holder support.
The hacker created four different governance proposals, of which only the last one passed. With this last proposal, they transferred the entirety of the community treasury to their own wallet.
They delegated 10 trillion $AUDIO tokens to themselves by using the governance, staking, and delegation smart contracts. These functions allow for Audius holders to delegate their votes to other community members.
When one community member delegates to another, they use the initialize() function, which effectively transfers the voting power over, but not the token itself. The hacker was able to call this function repeatedly without actually owning tokens to initialize the transfer of voting rights.
Using this mechanism, the attacker assembled 10 trillion $AUDIO tokens in voting power, which is significantly more than the diluted amount of 725M tokens, and voted on their own proposal to transfer all Audius tokens in the community treasury to them.
The original code for these smart contracts was published in October 2020, and anyone was able in the meantime to exploit the smart contracts. This was possible, although the code has gone through several audits by renowned audit firms such as Peckshield. It shows significant weakness in the industry, as there are probably a lot more of these unidentified vulnerabilities out there hiding in code.
The team responded quickly and pushed a fix that blocked the smart contracts from operating initially and afterward launched the real solution to get the smart contracts back up and running safely. They also issued a post-mortem laying out what happened and the lessons they learned.
One investor suggested to the team to buy back tokens to prevent a sell-off in order to protect investors from losing capital. Another investor took it a step further and set a deadline for Audius to recover the funds or else they will be out. This demonstrates the damage a hack can do; critical partners might lose their trust.
The story is an example of how audits are not a bulletproof solution to ensure security and that reviews must happen periodically as hacking methods are becoming more sophisticated by the day. It also perfectly describes the circumstances why Lossless was created and why the team is building multiple protection solutions for the web3 industry.
Restoring trust in web3 security. Lossless incorporates a new layer of blockchain transaction security, protecting projects and their communities from malicious exploits and the associated financial loss.
Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft. Lossless protocol utilizes community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.