Audius, a Web3 music streaming platform, became the latest victim of a cryptocurrency heist, revealing over the weekend that an attacker had looted 18.6 million AUDIO tokens and sold them for 705 ETH.
As a decentralized platform, the US-based company Audius uses the Ethereum blockchain for its tokens.
Exploiting an undiscovered flaw in Audius’ smart governance contract, or the platform’s “community treasury,” the hacker delegated 10 trillion AUDIO tokens to itself in order to achieve a governance vote.
The hacker was then able to transfer 18.6 million AUDIO tokens to a wallet he controlled, Audius said in an autopsy report on the incident.
“The vulnerability was mitigated within hours of its discovery and work continues to investigate the memory modifications made by the attacker and ensure a safe resumption of the remaining Audius smart contract systems.”
Audius, in a tweet on Sunday (July 24), said the issue had been found and fixes were ongoing, but the platform had to halt all smart contracts on Ethereum to prevent further damage.
As of Monday, all remaining funds and fixes have been deployed and all remaining smart contract components have been updated and are no longer paused except for staking and delegation features, the company said in a recent update.
“The vulnerability was mitigated within hours of its discovery and work continues to investigate the attacker’s memory modifications and ensure a safe resumption of the remaining Audius smart contract systems,” said Audius.
Roneil Rumburg, co-founder and CEO of Audius, confirmed the hack and said the incident was “an exploit – not a suggestion proposed or carried out in a legitimate manner”.
The platform seems to have hired Samczsun, a prominent crypto white hat hacker, to solve the problem, according to a tweet I thank the hacker.
Samczsun is identified as a research partner and head of security for private equity firm Paradigm.
Almost a year ago, Samczsun managed to save SushiSwap and its Miso platform from a potential loss of up to 109,000 ETH by patching a vulnerability.
SushiSwap is Ethereum-based software that encourages a network of users to run a platform where they can buy and sell crypto assets.
Meanwhile, a number of crypto and blockchain security research firms have released their own insights into the Audius hack, including Certik and fog trail. The latter said the hacker swapped the 18.5 million AUDIO tokens via Uniswap — a cryptocurrency exchange that uses a decentralized network protocol — for just over $1 million in ETH.
At the time of writing, the price of the AUDIO token is down nearly 9% to $0.31, its lowest level in about two weeks.
The incident marks a setback for Audius, as it came just days after the launch of a new service that allowed artists and curators to monetize their content by letting listeners send tips.
Audius’ platform is more invested in the cryptographic side of things, unlike mainstream streaming platforms like Spotify and Apple Music.
Rumburg told MBW in an interview over a year ago that Audius develops features based on suggestions from its token-holding community.
“Our company is almost like a consulting business from a business model perspective — we’re working on those features and we hope the community will want to continue supporting our work,” Rumburg said at the time.
Bank of America analysts said in a recent research report that Audius’ decentralized music-streaming platform “shifts power, profits, control and governance from record labels and centralized DSPs to artists and fans.”
However, the bank warned that the platform’s usage growth has slowed since December 2021.
Founded in 2018, the startup counts a number of artists including Katy Perry, Jason Derulo and Steve Aoki among its backers, according to Crunchbase.music business worldwide