A malicious actor siphoned $6 million from music platform Audius through the platform’s decentralized governance system.
The hacker created a malicious proposal requesting the transfer of 18 million AUDIO tokens from the community treasury, an action supposedly approved by the Audius community. He assigned himself as the sole guardian of the contract by calling the smart contract function “initialize(),” according to Twitter user @spreekaway.
Audius initially paused smart contracts and AUDIO tokens to prevent further loss of funds from the community treasury, resuming smart contract functionality soon after. Funds in the community treasury and the foundation treasury are both safe.
The company said it would likely release a full post-mortem tomorrow.
Hacker causes slippage in AUDIO price
After stealing 18 million tokens for $6 million, the hacker sold them for $1.08 million on decentralized exchange Uniswap, causing a slippage in the AUDIO token price. Slippage is the difference between the expected price of a token and the price when the order executes and can be expressed as a percentage or a dollar amount. One investor suggested a buyback to prevent a selloff that would drive the price down further. Another investor gave Audius an ultimatum: recover, else they are out.
An initial investigation by blockchain security company Peckshield pointed to an inconsistent storage layout as the root cause of the problem, which Audius had fixed by press time. The exploit is no longer possible.
Audius cutting out labels
Audius was founded to connect music artists to fans without an intermediary like a label. Initially designed to be a blockchain version of SoundCloud, Audius is where artists can produce immutable tracks that fans can listen to free of charge. Artists have freedom with how they monetize their work and receive 90% of revenue. The remaining 10% is distributed to node operators.
Audius recently launched a service enabling holders
Read Full Article…