Simply put
- Audius, a Web3 music platform, was hacked on Saturday with over $ 6 million in Ethereum-based AUDIO tokens.
- Attackers exchanged tokens for less than $ 1.1 million in ETH and concentrated ETH through transactional mixing services.
Decentralized streaming music service Auditius Hacked with over $ 6 million in audio token Weekend stolen from governance by attackers Smart contract..and Post-event report Released late Sunday, the service details attacks and responses, pointing out that undiscovered bugs have been exploited despite past security audits.
According to the report, hackers tapped a bug in the smart contract initialization code to get the service EthereumBase governance, staking, and delegation contracts. Smart contracts are code that enhances decentralized applications (dapps) of Web3Allows apps, games, and protocols to work without centralized mediation.
Given its decentralized model, Audius uses the Ethereum-based ERC-20. token (AUDIO) Enables community governance. However, this model was eventually abused on Saturday. Through this exploit, attackers modified Audius’ voting structure and attempted to delegate 10 trillion AUDIO tokens to them twice. wallet Promote governance proposals.
A problem has been discovered and fixes are underway to restore it to a stable state.
All Ethereum smart contracts, including tokens, had to be shut down to prevent further damage.
We do not believe that any more funds will be at risk.
More updates / post-mortem analysis. https://t.co/i3MM9WjjgE
—Audius? (@AudiusProject) July 24, 2022
These moves did not affect the supply of AUDIO tokens, only the platform-specific token staking system. However, the attacker was able to pass a governance proposal that sent the entire community token pool.Nearly 18.6 million audio tokens— To external Ethereum wallet.. The token was worth a total of about $ 6.1 million at the time of the robbery.
According to the event timeline shared by Audius, the project team was warned of an attack about 25 minutes after the token transfer.After that, the team immediately brought in a pseudonym White hat hacker samczsun Venture capital paradigm Succeeded in blocking Past Smart Contract Exploit Attempts — To help respond.
The team realized that the exploit was still active, developed a fix that exploited the same vulnerability and eventually stopped using it, and deployed patches over the next few hours to stop further attacks. Did. The team is still developing a long-term fix and promises more updates this week.
In post-mortem reports, the Audius team was open about potential shortcomings and oversights that could allow robbery or delay its response.
For example, the team hasn’t been actively working on Solidity / Ethereum Virtual Machine (EVM) code for nearly two years. “It took me a while to understand everything here,” the team wrote, “keeping it in harmony with the latest development and debugging tools.”
However, Audius smart contracts were audited by security groups. Initially audited by Open Zeppelin in August 2020, additional contracts were audited by Kudelski in October 2021. Deployed in October 2020.
“Auditing is not bulletproof,” the team wrote, saying that the time spent in the wild with no problems with the contract “helps build confidence, but does not rule out exploitation opportunities.”
The total value of the tokens was over $ 6 million, but the attackers probably rushed to launder and traded for the much lower value of Ethereum. The tokens were exchanged for over 704 wrapped Ethereum (WETH) (equivalent to about $ 1.07 million).Saturday night via Uniswap,reading Decentralized exchange..
After that, the attacker sent almost all ETH Tornado cacheA mixing service that combines coins from multiple transactions to make it more difficult to track cryptocurrency paths on the blockchain.
