Audius, a blockchain-based streaming service, announced over the weekend that a hacker managed to steal and sell millions of dollars worth of AUDIO tokens from the platform.
The hacker was able to find and exploit a bug in Audius’ smart contract — the code that allows decentralized platforms to function without intermediaries. Other companies have been hit in a similar fashion: The blockchain security firm Beosin recently estimated that close to $2 billion has been lost to hacking incidents in the first half of 2022. “The most common hacking techniques continue to be contract vulnerability exploitation and flash loans,” Beosin noted.
On Saturday, Audius tweeted that it was looking into “reports of an unauthorized transfer… from the community treasury.” The following day, the company published a report on its blog about the incident, detailing the steps the hacker had taken to execute the theft. Audius added that its “team was able to develop and apply a path to quickly regain control of the protocol before the attacker could do more damage.”
Audius, which was founded in 2018, is built on blockchain, a transparent and immutable ledger system. Artists get to decide if and how they want to monetize their music on the platform, and they are able to keep 90% of the revenue from their sales.
“The intent was to create this commons for music distribution that was owned and operated by the community, not by a company,” CEO Roneil Rumburg told Billboard in January. “… We thought it would be a really compelling value proposition to approach artists and say, ‘Hey, by contributing music here you actually gain control of and ownership of your distribution toolchain.’”
Audius amassed celebrity investors, including The Chainsmokers and Katy Perry. In September 2021, the company reported that it had more than 6 million monthly active users.
In its post-mortem report, Audius said its smart contract had previously been audited. However, “audits are not bulletproof,” the company noted, “and time spent in the market… can help build confidence but does not rule out opportunities for exploitation. These contracts were deployed in October 2020, and this vulnerability has been live in the wild since that time.”
The hacker’s ability to exploit that vulnerability allowed them to transfer more than 18 million AUDIO tokens, worth $6.1 million at the time, to an external wallet in their control. The hacker subsequently traded those tokens for 705 ETH, which was then worth $1.07 million due to the volume of the trade.
Audius’ report maintained that “the vast majority” of its “foundation, team, community… and other funds associated with the ecosystem are safe and were unaffected by this incident.”
“Work is in progress in collaboration with the community on possible remediations for the loss of funds,” the report concluded, “and we are fortunate that many options are still available.”