Audius was hacked over the weekend for $6m in AUDIO tokens: “Audits are not bulletproof”

The 18 million AUDIO tokens were reportedly sold on Uniswap for $1.07m worth of Ethereum.

Silhouette Listener

Image: Tatiana Maksimova

Audius, the blockchain-powered music streaming service, reported it was hacked on Saturday (23 July) for $6.1m worth of its AUDIO tokens.

READ MORE: How LimeWire, Winamp, Napster and more internet relics are finding new life in Web3

In a post-mortem report released the following day (24 July), Audius revealed that the attack exploited a bug in its contract initialisation code which allowed “repeated invocations of the initialise functions.”

This allowed the attacker to transfer 18m AUDIO tokens ($6.1m) to an external wallet, which was reportedly sold on Uniswap for 705 ETH ($1.07m).

Audius noted that changes made in the attack were “isolated to the internal state of the staking system (no new tokens were minted), and didn’t affect circulating token supply.”

Timeline of the attack

Audius reportedly assembled its response team 25 minutes after the attacker’s second attempt at the illicit transfer succeeded.

Within an hour, the response team successfully determined the root cause of the exploit, and deployed an initial fix 87 minutes after to “patch exploit, freezing currently deployed contracts (including token) as a side effect.”

A finalised patch was deployed within the next three hours.

In its post-mortem report, Audius directly addressed shortcomings and oversights in regards to its response to the attack.

“The Audius project team has not worked actively on Solidity/EVM-based code in nearly two years,” the report wrote. “It took folks time to get back up to speed on all things here. Staying more in-tune with the latest state of the art of dev / debugging tooling here will help us mount more effective responses in the future.”

Smart contracts role in decentralised finance

Smart contracts are the transaction protocols which allow Web3 apps to function without centralised intermediaries – they allow such apps to operate ‘independently’ in similar fashion to vending machines.

According to Audius, its set of contracts were audited by OpenZeppelin on 25 August 2020 with “additional changes” audited by Kudelski on 27 October 2021.

“Unfortunately this vulnerability was not caught in either case,” Audius stated. “Audits are not bulletproof, and time spent in the market (and the resulting Lindy effect) can help build confidence but does not rule out opportunities for exploitation. These contracts were deployed in October 2020 and this vulnerability has been live in the wild since that time.”


Get the latest news, reviews and tutorials to your inbox.