Cyber Incident Victim: Audius
Date:
Jul 2022
Location:
United States of America
Summary
Hackers exploited a vulnerability in the contract initialization code of a decentralized music platform, enabling repeated invocations of initialize functions to steal approximately $6 million worth of AUDIO tokens from the community treasury. The attacker transferred 18.5 million tokens and manipulated governance proposals to redirect additional funds to their wallet. The platform swiftly froze services to mitigate further theft, securing remaining user assets, though staking and delegate management systems remained paused during fixes. The stolen tokens were exchanged for $1.07 million via Uniswap and laundered through Tornado Cash. The vulnerability had persisted undetected since deployment despite two prior security audits, highlighting limitations in audit processes. No new tokens were minted, and circulating supply remained unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Audius blockchain music platform suffered a security breach over the weekend of July 23-24, 2022, resulting in the theft of approximately $6 million worth of AUDIO tokens. Attackers exploited a vulnerability in the contract initialization code that enabled repeated invocations of initialize functions, bypassing intended safeguards. This flaw allowed the hacker to transfer 18.5 million AUDIO tokens from the platform's community treasury to their own wallet. Following the initial theft, the attacker attempted to execute four governance proposals, with three failing and one succeeding, which transferred the entire Audius community pool funds to their wallet. The platform's team detected the breach within minutes and froze multiple services to contain further damage, including suspending staking and governance functionalities. Audius developers promptly deployed fixes to address the vulnerability while confirming no new tokens were minted during the incident and that circulating supply remained unaffected. By late Sunday July 24, core token functionality was restored though staking and delegate management systems remained offline pending additional security evaluations.
The attacker subsequently exchanged the stolen tokens on Uniswap, realizing only $1.07 million due to significant price slippage that erased 83% of the tokens' nominal value, before obscuring the funds through the Tornado Cash mixing service. Audius disclosed in its post-mortem analysis that the exploited vulnerability had existed undetected since the contracts' deployment in October 2020, despite two prior security audits conducted in August 2020 and October 2021 by different firms. The breach highlighted limitations in smart contract auditing processes while demonstrating the platform's ability to rapidly respond during active business hours, preventing additional losses. Although the financial impact was substantially smaller than contemporaneous attacks on Axie Infinity and Poly Network, the incident compromised governance mechanisms by draining community-controlled funds. Audius committed to improving its incident response protocols and acknowledged the event as a learning opportunity for decentralized projects regarding persistent vulnerabilities despite audits. No user funds beyond the community treasury were affected according to platform statements.