Decentralized music platform Audius has identified the bug that had allowed a hacker to pass a malicious governance proposal and transfer tokens worth USD 6m, adding that they have applied a patch to regain control of the protocol.
In a post-mortem, the protocol said that a vulnerability in its governance, staking, and delegation contracts on Ethereum (ETH) allowed a hacker to exploit the contract initialization code on July 23 and maliciously transfer AUDIO 18m (USD 6.075m) held by the community treasury.
Audius said that the compromised set of contracts was audited by blockchain security firm OpenZeppelin on August 25, 2020, prior to deployment, and by another security firm Kudelski on October 27, 2021.
“Fortunately, the Audius team was able to develop and apply a patch to quickly regain control of the protocol before the attacker could do more damage,” the team claimed.
At the time of the attack, the tokens were worth USD 6.1m. However, Etherescan transactions show that the attacker managed to run away with ETH 704.9 (worth USD 1.073m) after dumping the tokens that resulted in maximum slippage.
The team also claimed that the “vast majority” of Audius foundation, team, community, and other funds are safe and were unaffected by the incident. “Work is in progress in collaboration with the community on possible remediations for the loss of funds, and we are fortunate that many options are still available,” they said.
Meanwhile, at 7:28 UTC on Monday morning, Audius’ native token AUDIO is trading at around USD 0.33, down by 2% in a day and more than 4% in a week.
Notably, Audius is not the only decentralized finance (DeFi) project that has fallen victim to a hack over the past couple of days.
Virtual pet-owning game Neopets also confirmed late last week that it had suffered a breach of data, that email accounts and passwords “may have been affected,” and they recommend that users change their passwords.
“Neopets recently became aware that customer data may have been stolen. We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data,” the company wrote in a Twitter thread on Thursday.