Cryptographic suggestions help the community make consensus-based decisions. However, in the case of the decentralized music platform Auduis, a malicious governance proposal was passed, resulting in the transfer of $ 6.1 million worth of tokens and hackers letting go of $ 1 million.
July 24, Malicious Proposal (Suggestion # 85Requesting the transfer of 18 million Audius internal AUDIO tokens was approved by a community vote.First pointed out on CryptoTwitter by attacker @spreekaway Created A malicious suggestion that “I was able to call initialize () and set myself as the sole guardian of the governance contract.”
hello everyone. Our team is aware of reports of fraudulent transfers of AUDIO tokens from community finance. We are actively investigating and will report as soon as details are available.
If you would like to assist the response team, please contact us.
Audius (@AudiusProject) July 24, 2022
Talking to Cointelegraph, Audius co-founder and CEO Roneil Rumburg revealed that the community did not pass malicious proposals.
This was an exploit, which happened to use the governance system as an entry point for attacks, rather than proposed proposals or proposals that went through legitimate means.
Further investigation from Auduis confirmed the fraudulent transfer of AUDIO tokens from the company’s finances. Following the revelation, Auduis aggressively shut down all Audius smart contracts and AUDIO tokens on the Ethereum blockchain to avoid further losses. However, the company resumed token transfer shortly thereafter. to add “After a thorough investigation / mitigation of vulnerabilities, the rest of the smart contract features have not been suspended.”
Blockchain investigator Peckshield narrowed down the failure to Audius storage layout inconsistencies.
Problem of @AudiusProject There is an inconsistent storage layout between the proxy and impl. In particular, conflicting Audius Community Treasury contracts is equivalent to disabling the initializer qualifier. Here, proxyAdmin addr (0x..abac) plays a role. pic.twitter.com/x4CqRncahp
PeckShield Inc. (@peckshield) July 24, 2022
The hacker’s governance proposal discharged nearly $ 6 million worth of 18 million tokens from the treasury, but was quickly dumped and sold for $ 1.08 million. Although dumping resulted in the greatest slippage, investors recommended immediate repurchase to prevent existing investors from dumping and further lowering the minimum token price.
As one investor asked, investors are not yet clear about the stolen money. Team funding is different, isn’t it? “
Rumburk has confirmed in Cointelegraph that the root cause of the exploit has been mitigated and cannot be re-exploited. Given that community finance is separated from Foundation finance, the remaining funds remain safe from any misuse.
Related: Yuga Labs warns about “persistent threat groups” for NFT holders
Yuga Labs, creator of the Bored Ape Yacht Club (BAYC), has issued a second warning about possible “cooperative attacks” on social media accounts.
Our security team tracks persistent threat groups targeting the NFT community. We believe it is possible that we will soon launch a coordinated attack targeting multiple communities through a compromised social media account. Be vigilant and be safe.
Yuga Labs (@yugalabs) July 18, 2022
In June, Yuga Labs pseudonym co-founder Gordon Goner issued the first warning about a possible attack on Twitter social media accounts. Immediately after the warning, Twitter officials actively monitored their accounts and strengthened their existing security.