Share this article
How Attackers Stole Around $1.1M Worth of Tokens From Decentralized Music Project Audius
The sophisticated exploit involved attackers passing a malicious governance proposal by exploiting smart contracts.
Updated May 11, 2023, 6:42 p.m. Published Jul 25, 2022, 11:30 a.m.
About $1.1 million worth of Audius’ AUDIO tokens were stolen over the weekend in a sophisticated attack that involved the project’s governance forums.
Audius, a tokenized music streaming project, relies on community voting and governance to make decisions. On Saturday, a malicious proposal saw attackers put up a fake post and manipulate token votes to steal funds.
STORY CONTINUES BELOW
The attackers initially floated “Proposal #84,” which delegated 10 trillion AUDIO internally to the staking contract (with no token supply change). That transaction failed because no votes were cast on the proposal.
Attackers then floated “Proposal #85,” which requested the transfer of 18 million AUDIO tokens in a governance vote. The attackers were then “able to call initialize() and set himself as the sole guardian" of that governance contract, Audius developers explained in a post-mortem report on Monday.
The initialize() function gives a program its initial data point in a smart contract. That allowed the attacker to control the governance proposal solely and transfer tokens as the proposal was passed.
After Proposal #85 was put up, a transaction was executed that delegated 10 trillion AUDIO toward the votes, thus skewing the proposal in favor of the attacker. Circulating supply was unaffected, but the proposal passed as the erroneous votes were able to trick Audius’ smart contacts. That allowed the attackers to maliciously transfer 18 million AUDIO tokens held by the Audius governance contract, referred to as the “community treasury, to a wallet of their control."
The stolen tokens were then exchanged for more than 700 ethers , worth around $1.08 million at the time of writing, on privacy swap service Tornado Cash, blockchain data of the attacker’s wallet –0xa62c3ced6906b188a4d4a3c981b79f2aabf2107f – shows.
Meanwhile, Audius developers said a bug allowed the attacker to pass the initialize() function. “The Audius governance, staking, and delegation contracts on Ethereum mainnet,” developers explained in the post-mortem.
“[These] were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions,” they added.
The set of exploited contracts was previously audited by the OpenZeppelin team, but the vulnerability wasn't caught at the time, Audius developers said. All remaining funds are safe and fixes have been deployed as of Monday.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Solana’s Drift Launches v3, With 10x Faster Trades
With v3, the team says that about 85% of market orders will fill in under half a second, and liquidity will deepen enough to bring slippage on larger trades down to around 0.02%.
What to know:
- Drift, one of the largest perpetuals trading platforms on Solana, has launched Drift v3, a major upgrade meant to make on-chain trading feel as fast and smooth as using a centralized exchange.
- The new version will deliver 10-times faster trade execution thanks to a rebuilt backend, marking the largest performance jump the project has made so far.
Top Stories
