Blockchain-powered streaming service Audius was hacked for $6.1 million worth of their AUDIO tokens on Sunday, July 24th.

Audius revealed the attack as a bug exploit in its contract initialization code which allowed “repeated invocations of the initialize functions.” The attacker then transferred 18 million AUDIO tokens to an external wallet. The wallet was then reportedly sold on Uniswap for 705 ETH ($1.07m). Audius also stated the attack was “isolated to the internal state of the staking system (new tokens were not minted), and didn’t affect circulating token supply.”

Timeline of the Attack

25 minutes after the attacker’s second attempt at the transfer succeeded, Audius assembled its response team. The root cause of the exploit was found within an hour and a fix was deployed 87 minutes afterwards. This, Audius stated, was to “patch exploit, freezing currently deployed contracts (including token) as a side effect.”

A finalized patch was deployed within the next three hours. In its post-mortem report, Audius directly addressed shortcomings and oversights in regards to its response to the attack.

“The Audius project team has not worked actively on Solidity/EVM-based code in nearly two years,” reads the report. “It took folks time to get back up to speed on all things here. Staying more in-tune with the latest state of the art of dev/debugging tooling here will help us mount more effective responses in the future.”

Audius’ set of contracts were audited by OpenZeppelin in August 2020, with “additional changes” audited by Kudelski Security in October of 2021.

“Unfortunately this vulnerability was not caught in either case,” Audius stated. “Audits are not bulletproof, and time spent in the market (and the resulting Lindy effect) can help build confidence but does not rule out opportunities for exploitation. These contracts were deployed in October 2020 and this vulnerability has been live in the wild since that time.”