Hacker Enjoys Huge Payday After Passing Malicious Proposal on Audius
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
Over the weekend, Audius had a security breach on its platform. To assist with the investigation of its breach, the music streaming service has extended an invitation to interested community members.
Audius Community Inadvertently Helps a Hacker
Audius is a decentralised music streaming platform where users can stream and earn $Audio Token Rewards. It was recently confirmed in a Twitter post that there had been an unauthorised transfer of its AUDIO tokens.
Hello everyone – our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.
If you'd like to help our response team, please reach out.
— Audius 🎧 (@AudiusProject) July 24, 2022
The transfer appears to have originated from a malicious proposal on the Audios network. Proposal #85 requested the transfer of 18 million AUDIO tokens. Surprisingly, it got approval from the Audius community. The hacker appeared to have created the malicious proposal to call and set themselves as the sole guardian of the governance contract. Hence, they had control over the execution of the transfer.
Further investigation from Audius confirmed that the hacker had transferred the AUDIO tokens from the platform’s treasury. Following the findings, Audius halted all smart contracts and AUDIO tokens on the Ethereum blockchain to prevent additional transfers.
The company eventually resumed all transfers, confirming that it had mitigated the vulnerability and that operations were back to normal.
Peckshield, a blockchain forensic investigator, explained in a report that the problem appeared to be caused by inconsistencies with Audius’s storage layout. The inconsistencies appear to have been fixed now, but the hacker made off with a handsome payday.
The issue of @AudiusProject lies in inconsistent storage layout between its proxy and impl. In particular, the collision of Audius Community Treasury contract results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a role here. pic.twitter.com/x4CqRncahp
— PeckShield Inc. (@peckshield) July 24, 2022
After transferring 18 million AUDIO tokens, the hacker became $6 million richer. However, the hacker was only able to dump the tokens for about $1.08 million due to high market volatility and slippage levels. At press time, the hacker appears to have moved most of the funds away from their wallet.
Everyone on High Alert
The security breach is just the latest in attacks on decentralised platforms. Last week, Yuga Labs – the creators of the popular Bored Ape Yacht Club (BAYC) non-fungible token (NFT) collection – confirmed that they had been tracking reports of a possible coordinated attack against the community.
In a Twitter post, Yuba Labs explained that the attack could be targeted at the broader NFT community, with hackers looking to capitalise on social media. Yuga Labs has been on a massive hack alert for quite a while now. The company has some of the best NFTs to buy, including its BAYC collection, Mutant Ape Yacht Club (MAYC), and CryptoKitties collection that it purchased from Larva Labs earlier this year. After the company raised $450 million in a seed funding round and announced plans to launch its Otherside metaverse, its Discord channel was hacked.
Our security team has been tracking a persistent threat group that targets the NFT community. We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts. Please be vigilant and stay safe.
— Yuga Labs (@yugalabs) July 18, 2022
According to blockchain investigator OKHotshot, the hackers were able to break into the Discord account after gaining access to the profile of Boris Vagner – the company’s community and social media manager. The hackers managed to make away with 145 ETH, putting the entire Yuga Labs and APE community on high alert.
🚨BAYC & OtherSide discords got compromised‼️
Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen
Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W
— OKHotshot (@NFTherder) June 4, 2022
Less than two weeks later, Gordon Goner – Yuga Labs’ pseudonymous co-founder – took to Twitter to announce that he had reason to believe a second hack was on its way. Goner claimed that he had gotten “credible information” that an insider at Twitter was working with hackers and helping them to bypass Yuga Labs’ accounts – most likely to run a phishing campaign.
We’ve received credible information that there may soon be an attack on our social media accounts, using an inside source at @Twitter to bypass our security.
There are no surprise mints. Ever.
— GordonGoner.eth (@GordonGoner) June 11, 2022
Although there hasn’t been an attack yet, Goner’s post indicates that the company is monitoring its security closely – something that decentralised protocol users and investors who buy Ape NFTs should also note.
Buy Crypto at eToro from just $50 Now!
