Hacker drains $1.08M from Audius following passing of malicious proposal

cointelegraph.com:

Proposals in crypto help communities make consensus-based decisions. However, for decentralized music platform Auduis, the passing of a malicious governance proposal resulted in the transfer of tokens worth $5.9 million, with the hacker making away with $1 million. 

On July 24, a malicious proposal (Proposal #85) requesting the transfer of 18 million Audius’ in-house AUDIO tokens was approved by community voting. First pointed out on Crypto Twitter by @spreekaway, the attacker created the malicious proposal wherein they were “able to call initialize() and set himself as the sole guardian of the governance contract.”

Hello everyone - our team is aware of reports of an unauthorized transfer of AUDIO tokens from the community treasury. We are actively investigating and will report back as soon as we know more.If you'd like to help our response team, please reach out.

Further investigation from Auduis confirmed the unauthorized transfer of AUDIO tokens from the company’s treasury. Following the revelation, Auduis proactively halted all Audius smart contracts and AUDIO tokens on the Ethereum blockchain. 

Blockchain investigator Peckshield narrowed down the fault to Audius’ storage layout inconsistencies.

The issue of @AudiusProject lies in inconsistent storage layout between its proxy and impl. In particular, the collision of Audius Community Treasury contract results in an equivalence of disabling the initializer modifier. The proxyAdmin addr (0x..abac) plays a role here. pic.twitter.com/x4CqRncahp

While the hacker’s governance proposal drained out 18 million tokens worth nearly $6 million from the treasury, it was soon dumped and sold for $1.08 million. While the dumping resulted in maximum slippage, investors recommended an