Audius, a decentralized music streaming platform powered by its token AUDIO, was in the news this week after a network attack. On July 23, Audius' staking, governance, and decentralization contracts were compromised after a hacker discovered a bug in the contract's initialization code, allowing the attacker to cast malicious voting proposals.
The first (Proposal #84) attempted to falsify a delegation of 10 trillion AUDIO tokens to the staking contract (the actual AUDIO total supply is less than 1 billion tokens), while in the second proposal (Proposal #85) the attackers requested to transfer 18 million AUDIO tokens to their wallets. Using Proposition #84 as a test and executing Proposition #85, the attackers managed to circumvent the token governance vote in their favor using using a bug that allowed them to make the smart contract compute the 10 trillion AUDIO tokens as valid votes on their behalf, and finally transferring the 18 million AUDIO tokens from the community treasury to their personal account, which was later exchanged for 705 ETH through Uniswap (US$1.08 million).
In response to the attack, the Audius team used the same vulnerability to recover and interrupt system governance, token transfer, and other activities in the protocol's Ethereum contract. After fixing the bug and updating the contract, the protocol is now working normally.
There are three important lessons we believe can be taken from this attack:
Smart contracts are not 100% immune to hacker attacks. There are several vulnerability points that can take years to be discovered, especially when it comes to code that interacts with the off-chain world (oracles, governance, etc).
The speed with which the problem was solved calls into question the decentralized nature of some platforms. On the one hand, the Audius team’s response was good for preventing other attacks, but on the other hand it shows how centralized some protocols are that claim to be decentralized.
For smaller protocols, a large token theft is not necessarily a good economic decision for the attacker. 18.5 million AUDIO tokens is approximately US$6 million. However, due to a lack of liquidity, the hacker was only able to exchange for US$1.08 million on Uniswap.
Crypto-related hacks and other fraudulent activity can generate a lot of media attention, which is why we believe it’s important to provide perspective on these activities and what investors can learn from them going forward. Despite events like the Audius hack, we believe Web3 applications remain an incredibly promising segment of the crypto ecosystem, as smart contracts reinvent the online economy and disrupt the large technology companies that currently dominate how we use the internet.
This material expresses Hashdex Asset Management Ltd. and its subsidiaries and affiliates (“Hashdex”)'s opinion for informational purposes only and does not consider the investment objectives, financial situation or individual needs of one or a particular group of investors. We recommend consulting specialized professionals for investment decisions. Investors are advised to carefully read the prospectus or regulations before investing their funds. The information and conclusions contained in this material may be changed at any time, without prior notice. Nothing contained herein constitutes an offer, solicitation or recommendation regarding any investment management product or service. This information is not directed at or intended for distribution to or use by any person or entity located in any jurisdiction where such distribution, publication, availability or use would be contrary to applicable law or regulation or which would subject Hashdex to any registration or licensing requirements within such jurisdiction. No part of this material may be (i) copied, photocopied or duplicated in any form by any means or (ii) redistributed without the prior written consent of Hashdex. By receiving or reviewing this material, you agree that this material is confidential intellectual property of Hashdex and that you will not directly or indirectly copy, modify, recast, publish or redistribute this material and the information therein, in whole or in part, or otherwise make any commercial use of this material without Hashdex’s prior written consent.
Investment in any investment vehicle and cryptoassets is highly speculative and is not intended as a complete investment program. It is designed only for sophisticated persons who can bear the economic risk of the loss of their entire investment and who have limited need for liquidity in their investment. There can be no assurance that the investment vehicles will achieve its investment objective or return any capital. No guarantee or representation is made that Hashdex’s investment strategy, including, without limitation, its business and investment objectives, diversification strategies or risk monitoring goals, will be successful, and investment results may vary substantially over time. Nothing herein is intended to imply that the Hashdex s investment methodology or that investing any of the protocols or tokens listed in the Information may be considered “conservative,” “safe,” “risk free,” or “risk averse.”
Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Hashdex, and Hashdex does not assume responsibility for the accuracy of such information. Hashdex does not provide tax, accounting or legal advice. Certain information contained herein constitutes forward-looking statements, which can be identified by the use of terms such as “may,” “will,” “should,” “expect,” “anticipate,” “project,” “estimate,” “intend,” “continue” “believe” (or the negatives thereof) or other variations thereof. Due to various risks and uncertainties, including those discussed above, actual events or results, the ultimate business or activities of Hashdex and its investment vehicles or the actual performance of Hashdex, its investment vehicles, or digital tokens may differ materially from those reflected or contemplated in such forward-looking statements. As a result, investors should not rely on such forward- looking statements in making their investment decisions. None of the information contained herein has been filed with the U.S. Securities and Exchange Commission or any other governmental or self-regulatory authority. No governmental authority has opined on the merits of Hashdex’s investment vehicles or the adequacy of the information contained herein.