Proposals in the crypto space help the community to make decisions based on consensus. However, for the decentralized music platform Audius, the passage of a malicious governance proposal resulted in the transfer of $6.1 million worth of tokens, and the hacker obtained $1 million.
On July 24, a malicious proposal (Proposal #85) requesting the transfer of 18 million AUDIO internal AUDIO tokens was approved by the voting community. First pointed out on Twitter Crypto by @spreekaway, the attacker created a malicious proposal in which they “could call initialize() and position themselves as the sole guardian of the governance contract. “
Very quickly, the entire amount of these tokens saw selling pressure in a single transaction, when about 6 million USD worth of AUDIUS was sold for 705 ETH (approximately 1 million USD at current ETH rate).
Blockchain investigator Peckshield pointed to an inconsistency about Audius’s storage layout.
Further investigation from Auduis confirmed the unauthorized transfer of AUDIO tokens from the platform’s treasury. Following the disclosure, Auduis took the initiative to suspend all Audius smart contracts and AUDIO tokens on the Ethereum blockchain.
This spread is partly due to the lack of liquidity for AUDIUS.
“The issue has been found and patching is underway to bring everything back to normal. To hedge against greater risks in the future, all Audius smart contracts on Ethereum will be suspended, including the token smart contract. We believe the asset as a whole will not be at risk in the future.”
The team has also updated that the vulnerabilities have been patched, but many features such as token transfer, balance display have not been activated because of concerns about risks.