Audius, a Web3 music streaming platform, became the latest victim of a cryptocurrency heist, disclosing over the weekend that an attacker looted 18.6 million of AUDIO tokens and sold them for 705 ETH.
As a decentralized platform, US-based Audius uses the Ethereum blockchain for its tokens.
The hacker exploited an undiscovered bug in Audius’ governance smart contract, or the platform’s “community treasury,” and delegated 10 trillion AUDIO tokens to themself in an attempt to pass a governance vote.
The hacker was able to then transfer 18.6 million of AUDIO tokens to a wallet that they controlled, Audius said in a post-mortem report of the incident.
“The vulnerability was mitigated within a few hours of discovery, and work is continuing to examine the storage modifications made by the attacker and to ensure safe resumption of the remaining Audius smart contract systems.”
Audius, in a tweet on Sunday (July 24), said the issue has been found and fixes are underway, but the platform had to halt all smart contracts on Ethereum to prevent further damage.
As of Monday, all remaining funds and fixes have been deployed and all remaining smart contract components have been upgraded and unpaused except for staking and delegation functions, the company said in a recent update.
“The vulnerability was mitigated within a few hours of discovery, and work is continuing to examine the storage modifications made by the attacker and to ensure safe resumption of the remaining Audius smart contract systems,” Audius said.
Audius co-founder and CEO Roneil Rumburg confirmed the hack, saying the incident “was an exploit – not a proposal proposed or passed through any legitimate means.”
The platform appeared to have engaged Samczsun, a prominent crypto white hat hacker, in addressing the issue, according to a tweet thanking the hacker.
Samczsun is identified as a research partner and head of security at capital venture firm Paradigm.
Nearly a year ago, Samczsun managed to save SushiSwap and its Miso platform from a potential loss of as much as 109,000 ETH by patching a vulnerability.
SushiSwap is an Ethereum-based software that incentivizes a network of users to operate a platform where they can buy and sell crypto assets.
Meanwhile, a number of crypto and blockchain security research firms released their own findings into the Audius hack including Certik and MistTrack. The latter said the hacker swapped the 18.5 million AUDIO tokens via Uniswap — a cryptocurrency exchange that uses a decentralized network protocol — for just a little over $1 million ETH.
As of writing, the price of the AUDIO token fell nearly 9% to $0.31, the lowest in about two weeks.
The incident marks a setback for Audius as it occurred just days after the company launched a new service allowing artists and curators to monetize their content by letting listeners send tips.
Audius’ platform is more invested in the cryptographic side of things unlike mainstream streaming platforms like Spotify and Apple Music.
Rumburg told MBW in an interview over a year ago that Audius develops features based on suggestions by its community holding tokens.
“Our company is almost like a consulting shop from a business model perspective — we do work on these features and hope that the community will want to keep supporting the work that we do,” Rumburg said at the time.
Bank of America analysts, in a recent research report, said Audius’ decentralized music streaming platform “shifts power, profits, control and governance from record labels and centralized DSPs to artists and fans.”
However, the bank warned that the platform’s usage growth has slowed since December 2021.
The startup, founded in 2018, counts a number of artists including Katy Perry, Jason Derulo and Steve Aoki among its backers, according to data from Crunchbase.Music Business Worldwide