Proposals in crypto help communities make consensus-based decisions. However, for decentralized music platform Auduis, the passing of the malicious governance proposal led to the change in tokens worth $6.a million, using the hacker making away with $a million.
On This summer 24, a malicious proposal (Proposal #85) requesting the change in 18 million Audius’ in-house AUDIO tokens was approved by community voting. First stated on Crypto Twitter by @spreekaway, the attacker produced the malicious proposal in which these were “able to initialize() and hang themself because the sole protector from the governance contract.”
Hello everybody – we understands reports of the unauthorized change in AUDIO tokens in the community treasury. We’re positively investigating and can report on their behavior when we all know more.
If you want to help our response team, please achieve out.
— Audius (@AudiusProject) This summer 24, 2022
Talking with Cointelegraph, Audius co-founder and Chief executive officer Roneil Rumburg clarified the community didn’t pass a malicious proposal:
This was a exploit – not really a proposal suggested or undergone any legitimate means – it simply became of make use of the governance system because the access point for that attack.
Further analysis from Auduis confirmed the unauthorized change in AUDIO tokens in the company’s treasury. Following a thought, Auduis proactively stopped all Audius smart contracts and AUDIO tokens around the Ethereum blockchain to prevent further losses. The organization, however, started again token transfers soon after, adding the “Remaining smart contract functionality has been unpaused after thorough examination/minimization from the vulnerability.”
Blockchain investigator Peckshield narrowed lower the fault to Audius’ storage layout inconsistencies.
The problem of @AudiusProject is based on sporadic storage layout between its proxy and impl. Particularly, the collision of Audius Community Treasury contract leads to an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a job here. pic.twitter.com/x4CqRncahp
— PeckShield Corporation. (@peckshield) This summer 24, 2022
As the hacker’s governance proposal drained out 18 million tokens worth nearly $six million in the treasury, it had been soon dumped and offered for $1.08 million. As the dumping led to maximum slippage, investors suggested an instantaneous buyback to avoid existing investors from dumping and additional decreasing the token’s floor cost.
Investors are yet to obtain clearness around the stolen funds as you investor requested, “They hacked the city fund right? The team’s fund is separate correct?”
Rumburg confirmed with Cointelegraph the real cause from the exploit continues to be mitigated and can’t be re-exploited. Considering that the community treasury is kept separate in the foundation treasury, the rest of the funds remain protected from any exploit.
Related: Yuga Labs warns of ‘persistent threat group’ targeting NFT holders
Bored Ape Yacht Club (BAYC) creator Yuga Labs issued its second warning a good expected “coordinated attack” on its social networking accounts.
Our security team continues to be tracking a persistent threat group that targets the NFT community. We feel that they’re going to soon be launching a coordinated attack targeting multiple communities via compromised social networking accounts. Be vigilant and remain safe.
— Yuga Labs (@yugalabs) This summer 18, 2022
In June, Gordon Goner, pseudonymous co-founding father of Yuga Labs, issued the very first warning of the possible incoming attack on its Twitter social networking accounts. Right after the warning, Twitter officials positively monitored the accounts and prepared their existing security.