The decentralized music streaming platform Audius was cyber attacked on 23 July and lost more than 18 million AUDIO tokens worth $6 million. Audius notified its Twitter user soon after the attack and froze services. Since then developers of the music streaming platform were investigating the incident.
The company said on its blog, “The bug allowed an attacker to maliciously transfer 18MM $AUDIO tokens held by the Audius governance contract (referred to as the “community treasury”) to a wallet of their control and modify dynamics of the voting system to illicitly change their staked $AUDIO amounts in the network. ”
According to the company Audius utilizes the Open Zeppelin proxy upgradability pattern with an override action under the Audius Admin Upgradability Proxy contract permitting the proxy upgrades to the logic contracts of the Audius system. The Audius Admin Upgradability Proxy uses 0 storage slot and the Admin proxy for the Audius protocol was set to a governance system address such as 0x4deca517d6817b6510798b7328f2314d3003abac for implementing various checks and balances to prevent unauthorized use.
The bug released by the unknown threat actor initiated a collision course with Open Zeppelin’s Initializable contract to initiate a boolean state, a type of data that contains two-state values like true/false, yes/no, on/off, stored in slot 0.
According to reports the Audius hack involved two contracts overlapping the same storage slot, “slot 0.” This overlapping “made the value of both initializing and initialized appeared to be true,” and the rest of the check went through a short circuit and stopped running.
The company said that initializing was true and the call was not considered as ‘topLevelCall,’ that is when both ‘initializing’ and ‘initialized’ remain unchanged. The bug was able to change the storage state that can be set only once in the initialization.
Binance’s CEO Changpeng Zhao notified in his Twitter account that none of the Audius funds were received by the biggest crypto exchange company. Binance is popular for trading cryptocurrencies and it provides a crypto wallet where traders can even store their electronic funds. Traders can earn interest using Binance for transactions of cryptocurrencies.
Audius has already notified that they have taken an extreme amount of safety measures along with initiating an in-depth thorough investigation to safeguard all the funds. Now, Binance CEO’s remark on Twitter regarding no transaction being found after a huge hacking attempt relieves the stress of the Audius clients.
None of the Audius hacked funds came to @Binance so far. We will keep monitoring. Stay #SAFU https://t.co/fJ7rmbcSmm
— CZ 🔶 Binance (@cz_binance) July 31, 2022
