Protocol’s Governance Contract, Susceptible for two Years, Exploited in Assault
Decentralized track platform Audius noticed a hacker exploit its network governance process via stealing 18 million local tokens via a malicious proposal that exploited a flaw within the blockchain’s good contract techniques.
Audius targets to construct a decentralized community-owned protocol in a bid to tackle centralized track streaming platforms. Crunchbase knowledge presentations it raised a $13.6 million investment since 2018, together with from Pantera Capital and Kleiner Perkins.
An attacker on Saturday exploited a malicious program on a sensible contract that went undetected since 2020, the corporate mentioned on Sunday. The hacker stole just about 18.6 million $AUDIO tokens, promoting the stolen belongings for $1.08 million, blockchain safety corporate PeckShield tells Knowledge Safety Media Staff. The corporate assisted Audius with its investigation. The price of the stolen tokens on the time of writing was once $5.9 million.
Audius was once designed to permit $AUDIO token holders to enact adjustments via on-chain proposals. Through exploiting the malicious program at the governance contract, the attacker set themselves as the only real mum or dad of the governance contract, thereby gaining complete keep watch over of approving on-chain proposals.
The vulnerability additionally affected Audius’ staking and delegation good contracts. Transactions on those contracts were frozen till a patch will also be administered, the corporate says.
“Paintings is continuous to inspect the garage changes made via the attacker and to make sure protected resumption of the remainder Audius good contract techniques,” the corporate says.
It says additionally it is comparing choices to remediate the lack of price range.
The corporate used the similar vulnerability the attacker exploited to regain keep watch over of the governance machine and block additional exploitation. It proposed an on-chain exchange to take keep watch over of the governance contract and deployed the essential patches.
“After deploying the set of contracts that gave the reaction group keep watch over over the machine in addition to halted writes, the group was once ready to one-by-one re-deploy and initialize the proxy contracts for every of the impacted elements,” it says.
It has not on time patching the malicious program at the staking and delegation good contracts to “permit for exterior assessment.” The ones proxies are frozen for now so aren’t susceptible to additional exploitation, the corporate says.
Audius says “audits aren’t bulletproof.”
The susceptible contracts have been deployed in October 2020. “The Audius challenge group has now not labored actively on Solidity/EVM-based code in just about two years. It took people time to get again up to the mark on all issues right here,” the corporate says. It appears to stay abreast of the present building and debugging tooling to treatment this.
PeckShield provides that it’s key to continuously observe the dynamics of deployed protocols and get ready contingency measures for possibility keep watch over/mitigation.
Audius says it’ll additionally arrange higher computerized tooling machine to discover suspicious on-chain process.