Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 098Governance Attack

Audius Governance Initializer Bug

An attacker exploited an Audius contract-initializer flaw to self-delegate 10 trillion AUDIO and pass a malicious proposal that drained $6M from the treasury.

Date
Victim
Audius
Chain(s)
Ethereum
Status
Funds Stolen

On July 23, 2022, the decentralised music-streaming platform Audius lost 18.56 million AUDIO tokens — worth roughly $6.05 million at the time — when an attacker exploited a vulnerability in the protocol's governance contract initialization code. The bug had been present through two separate audits by OpenZeppelin.

What happened

Audius used upgradeable governance contracts that relied on initializer functions to set their critical state at deployment time. The initialization functions were intended to be one-shot — callable exactly once, by the contract deployer, immediately after deployment.

The bug: the initializer for one of the governance contracts was callable repeatedly under specific conditions. The attacker re-invoked it to take ownership of the contract's state, including the delegation and staking storage that determined who held governance voting power.

With control of the storage, the attacker:

  1. Re-defined their address as holding 10 trillion AUDIO in delegated voting power.
  2. Submitted a malicious governance proposal that withdrew the entire community treasury to an attacker-controlled wallet.
  3. Voted yes on their own proposal with the fabricated 10 trillion voting power.
  4. The first attempt failed due to a separate issue; the second attempt succeeded.
  5. Executed the proposal, transferring 18,564,497 AUDIO out of the treasury, then swapped them on Uniswap for 704 ETH (~$1.09M). The remaining tokens lost most of their value as the market priced in the dilution.

Aftermath

  • Audius detected the exploit roughly 30 minutes after the first failed attempt and deployed a fix within an hour.
  • The team published a post-mortem and reimbursed affected token holders through a combination of treasury restructuring and token-supply adjustments.
  • The contracts had been audited by OpenZeppelin twice; neither audit caught the re-invokable initializer bug.

Why it matters

Audius is the canonical case for why initializer functions are dangerous primitives. The pattern recurs across the upgradeable-proxy ecosystem:

  • Parity Multisig (2017) — a re-invokable initWallet enabled both the original $30M theft and the later $150M freeze.
  • Audius (2022) — same root cause, different contract architecture, $6M loss.
  • The pattern keeps appearing because the safe implementation (initializer modifier, explicit ownership checks, atomic deployment + initialization) is one extra annotation away from the unsafe one.

The deeper Audius lesson is more uncomfortable: two audits by a top-tier firm did not catch this bug. Audits provide meaningful but not absolute protection; formal verification of initialization patterns and economic-invariant fuzzing of governance contracts are the additional defensive layers that have become more common since.

Sources & on-chain evidence

  1. [01]decrypt.cohttps://decrypt.co/105913/how-audius-was-hacked-6m-ethereum-tokens
  2. [02]cryptoslate.comhttps://cryptoslate.com/attackers-stole-6-million-from-audius-by-exploiting-a-bug-in-the-contract/
  3. [03]bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/hackers-steal-6-million-from-blockchain-music-platform-audius/

Related filings