Audius: An autopsy of $6m of music heists reveals some key notes
- Post by: Irjar Jira
- July 25, 2022
- Comments off
Hacks in the cryptocurrency domain are quite common. A malicious attack caused the decentralized music platform Auduis to lose 18.5 millions AUDIO tokens ($6m).
Broken strings
24 July saw the Audius community’s treasury lose a substantial amount of money due to an exploit in contract initialization code. This exploit allowed multiple invocations for the “initialize” function. This development was shared by the respective teams on the social media platform.
Our team has received reports that AUDIO tokens were being unauthorizedly transferred from the community treasurey. We are currently investigating the matter and will update you as soon as possible.
Please reach out if you would like to assist our response team.
— Audius (@AudiusProject July 24, Different agencies/firms tried to release their post-mortem reports for an in-depth analysis of the attack.
Certik, a crypto- and blockchain security analysis platform, released a brief overview to illustrate the concept.
#CommunityAlert
The @AudiusProject was exploited to the tune of $6M in AUDIO tokens. Tokens were then sold for 705 Ethereum.
After altering the Audius governance contract’s configurations and then proposing and executing a malicious proposal to drain 5M of AUDIO, the attacker also stole 5M. pic.twitter.com/djuAO1Jarv
— CertiK Alert, @CertiKAlert July 24, 2022.
The attacker altered the Audius governance contract’s configurations and then proposed and executed an attack to drain 18.5m of AUDIO.
An attacker was able to alter the voting system and place erroneous stake value in the network.
This led to the malicious transfer of 18m tokens (referred to as “community treasure”) held by the Audius governance contracts (referred to herein as the “community Treasury”) to their wallet.
Later, the attackers were able do a proposal and pass it. They then send all the treasury tokens to themselves, and then dump it on Uniswap. The attacker also sold 18m audio tokens to 705 Ethereum ($1.1m).
It appears that $6M in $Audio could only be traded for a little more than $1M in Ethereum. https://t.co/eAQDvBoTJ6 pic.twitter.com/gRf4yw3Qdv
MistTrack (@MistTrack_io July 24, 2022.
Another firm, Go+ Security, also shared a brief analysis of 24 July in order to highlight the attack. The firm also added a flowchart that outlines the entire attack vector in a blog post.
Tampering with vote parameters -> submit a malicious proposal -> Tampering with vote weights -> Vote and -> Execute the proposal
Further analysis was done by the firm, including screenshots showing the unfortunate timing. Peckshield, another blockchain investigator, narrowed the blame to Audius’ inconsistent storage layout.
The problem with @AudiusProject is the inconsistent storage layout between its proxy, and impl. The collision of the Audius Community Treasury contract results is an equivalence in disabling the initializer moderator. This is where the proxyAdmin addr (0x..abac), plays a part. pic.twitter.com/x4CqRncahp
— July 24, PeckShield Inc. (@peckshield). 2022
How can you control damage?
Audius updated to say that the vulnerabilities had been fixed, but features like token transfer and balance display were not activated due to concerns about potential risks.
This was done by “proxy-upgrading every contract to a minimal BlockingContract which did not contain the exact bug. After relegating proxyAdmin to a predefined team address, this prevented repeated invocations.
But was it a help to the affected token? It didn’t really. As you can see in the graph below, CoinMarketCap saw a huge drop in token prices.
Source: CoinMarketCap
The token (AUDIO), which was just past $0.02 at the time of writing, had received a new 2% correction. 33 mark.
Read More