Give Back to Victims of Stolen $AUDIO (Audius Wallet Security Vulnerability)

Dear Audius Community,

As you may have heard there is a serious ongoing issue where thieves have been stealing $AUDIO directly from a user’s Audius built-in wallet. Hundreds that we know of, and potentially many more Audius users have had their accounts compromised and all their Audio tokens stolen, directly from the Audius built-in wallet on Audius official website. These tokens were stored before Audius security improvements, such as third party Wallet support, was implemented on Audius’ website.

These are users who trusted the Audius platform that had promoted storing Audio tokens on their wallet for Bronze, Silver, Gold badges. This is an effort to recoup some of the stolen funds. We know of multiple wallets of the thieves. Here is one ether address which equate to hundreds of thousands of stolen $AUDIO. Overall, millions have been stolen (quantity of $AUDIO). We have more Wallet ID’s but we can only post one link here

Thankfully, Audius as a company has recognized that these were in fact theft from their online platform wallet. They have also acknowledged the need for security improvements on their platform such as adding 2FA, and improving their third party wallet support. As we know, Audius has allocated 17.8% of $AUDIO’s circulating supply to a Foundation Wallet, which community members can apply to use for various initiatives. We would like to propose that community members can apply to be reimbursed for the $AUDIO that was stolen from their accounts.

The accounts will need to be verified first, to ensure that they did in fact have their $AUDIO stolen. A simple verification method can be made through the Audius platform email that was used to sign up for Audius, which is linked directly to the on platform wallet. Victims will need to verify that it was indeed their wallet address tied to a theft from one of the transactions linked to a known theft.

If passed, this will show the power and strength of the Audius community to look after its own users, many of whom are artists struggling to make it in the industry. Thank you for the time to read this proposal, and we hope that this vote passes.

14 Likes

Great to see this. I agree with all things said in this proposal.

Here are 2 other wallets that have stolen on top of the one from the original post.

7 Likes

I think it would be worth investigating and assessing just how much theft/damage has occurred. This has been a slow poisoning of the well, not a grand heist. Inspecting the transactions leads to really peculiar insights that raise many questions.

It is important that we discover where these funds went, whether they were sent to exchanges or more importantly if there are hackers using this to gain voting power. The latter is far more disturbing and sinister than just doing this for profit. If the damages only amount to a small fraction of what the foundation wallet then I may be in favor of this proposal reimbursing those affected. For now I remain hesitant to choose a side despite personally knowing people who have been affected by this.

I want to be clear: I am far more interested in discovering how to prevent this exploit from working as opposed to just reimbursing the aggrieved. Yes, we should explore our options helping the people affected, that is not a question in my mind. However, preventing more oblivious users from losing their funds is imperative. Nonetheless thank you for this post.

This adds some anxiety to keeping funds on the hedgehog wallet, however using it as a place to distribute rewards “for free” (if not slowly) is extremely valuable. I look forward to seeing what this discourse brings and if any transaction sleuths can make sense of what we are dealing with here.

*Edit I am aware that ERC-20 “Mixers” exist, this is a tool used to obfuscate and “clean” the tokens that usually erases the bread crumb trail.

3 Likes

This post was flagged by the community and is temporarily hidden.

7 Likes

I do understand that the primary goal should be to make Audius more secure for everyone. But what we don’t want is for Audio to become a scammy coin by being known as the coin that gets stolen easily. Precedent must be set, and things need to change. I’ve seen mods exclaim that the security needed an upgrade, and was done only after these coins were stolen. That looks really bad on the community, and this is a chance to change that perspective. I personally didn’t have any audio stolen, but I do see the need to help victims of these attacks. Don’t be fooled by the word cryptocurrency, Audius is still very much a company that can make mistakes. This is literally why they have a HUGE reserve of AUDIO for this kind of situation. Its not something that effects any individual except helps the victims. Please consider this.

8 Likes

Yes Brokenblythe, I do agree that it should be a priority for Audius to discover how to prevent this exploit from working. But I very much agree with Roger and Kreigus’ posts as well.

I won’t reiterate everything they’ve said. But I will add that the people who I’ve talked to who have had their token stolen from their Audius Wallet’s are artists who LOVE the idea Audius, myself included. They are artists who have been involved with Audius, and holding AUDIO right from the beginning of the company. Right now these victims are extremely discouraged, and only fixing future security isn’t going to change that. Although they should be trying to prevent this from happening in the future, this is an opportunity for Audius to support those that have been supporting Audius from the beginning and have fallen victim to the un-secure Audius wallet.

I don’t think this reimbursement plan is something that should happen forever, meaning you would have a certain time period to apply for reimbursement, and once security is upgraded to a certain point it could stop altogether. But for the time being, especially since they are still promoting people to hold it in their Audius wallet to receive certain Tiers, I very much hope we can come to an agreement that satisfies all parties involved, investors, employees artists and the victims, as Roger already said.

6 Likes

Could you point me to where Audius acknowledged that an exploit was used to get these funds? I’m not doubting it but am interested in seeing what the response was in full just to get a scope of the situation.

If an exploit was used, the question must be asked why certain users with smaller holdings were targeted rather than larger accounts. All the evidence I’ve seen has pointed towards it being down to individual users having easily crackable passwords, I am interested in seeing where it was acknowledged as an exploit to get a sense of the situation around it. Many thanks :slight_smile:

2 Likes

Thank you for bringing up this proposal. I have friends who were affected by this exploit.
There are a few possibilities that could have led to this:

  1. It is the fault of the original airdrop mechanism built into Audius’ contract
  2. The hacker exploited or injected sql into Audiu’s front end and received database information
  3. It is a vulnerability in the Hedgehog wallet used on Audius’ web platform
  4. The hacker gained personal information and login info from every victim

Of these possibilities, I will argue why even if the 4th is the case that we should reimburse those affected. Additionally, I propose we add a budget to hire someone to audit that specific airdrop contract as well as potentially reveal the source of the vulnerability.

If people were airdropped these funds it is likely they also used Audius’ integrated wallet. It is of no fault of their own if their information was revealed through an exploit and not a phishing attempt. The main statistic that makes me think that this was not a phishing attack is that there were also a few non-airdrop wallets that were stolen from (however these could be linked to another airdropped wallet just routed multiple different times from exchanges and then into another Audius wallet). Another good question to ask is: If there was a phishing attack, how did the hacker gain access to their email information? How could he know that they all had Airdropped funds, and why were those wallets such easy targets (they account for a great majority of stolen funds)?

Many of these wallets belong to early adopters, active users, general pillars of the community. It would be a shame to let them all down in such a way when we have the ability to right a wrong and teach a valuable lesson in the process: Keep your wallets safe and off of centralized platforms. If a fishing attempt is the reason for this hack, there is still great value in showing early adopters that they are valuable to the ecosystem and not just some scam victim.

4 Likes

Audius acknowledged it when they released the 2FA functionality. They have since removed the posts as far as I know. Additionally, how could you know if their passwords are easily crackable? If you have also found an exploit to find Audius logins please let the community know so we can be done with the mystery.

3 Likes

Pockets latest post just now goes much deeper into the technical side of things so you can check that out.
But to me, it doesn’t make sense that it is just easily crackable passwords, it’s happened too many times, too quickly and to too many wallets. My password was a random assortment of numbers/words/symbols.I don’t see how that could be easily guessed.

Also, I would argue that they are/were trying to target many smaller holdings rather than larger accounts purposely. If they started stealing huge amounts from the Gold/Platinum accounts that would get the Audius’ team and others attention a lot quicker.

Yes the Audius team has talked about this as a serious issue, but it was on the Discord Audius-Help page which they just removed and wiped clean of its history a few days ago. Audius-Help is now only done through email.

4 Likes

When did Audius get 2FA? I’ve heard nothing of this, I can’t see a 2FA option. If you mean additing other wallet platforms, that was done long before this issue was being discussed and it’s not possible to acknowledge something before it happens. We were calling for 2FA for months and it was the alternative they offered, 2FA would still be appreciated however.

I never said I know users had easily crackable passwords, I just said from what I’ve seen discussed that’s the most realistic option. Obviously they’d need the user’s emails which many artists have accessible through their on-profile links (contact emails in Instagram and Spotify etc) or through database access. Lots of discord scams have been floating about also. I’m doubtful that a platform that reportedly has its security tested by external companies and openly has bug bounties would fall to sql injections in 2021. If there is a way to get database access then the silence from Audius is unprofessional and embarrassing.

Another good question to ask is: If there was a phishing attack, how did the hacker gain access to their email information?

Phishing attempts generally get a user’s email address

I’m essential being devils advocate based on the information we actually have on the situation. The fact that non-airdropped wallets fell victim rules out option #1 but I agree that the rest of the options are possibilities and I expect an official response from Audius over this.

No intention of being hostile with this comment, just interested in the situation from an outsider’s perspective and I hope a resolution is reached

2 Likes

Hi Byte, you are correct, Audius still does not have 2FA. Which makes this issue even more egregious. You are also correct that third party wallet support was added. However, I would love to know the date which 3rd party wallet support was added to the on-platform website? Was it before September 1st, 2021 (first reported theft)? I don’t believe it was. I believe that Audius publicly launched third party wallet support on September 2nd? (Phantom) and then also on October 6th (MetaMask)… It’s quite interesting the first theft tx was a day before the public launch of 3rd party wallet support. But really I don’t want this to turn into a discussion of assumptions and hypotheticals…

Aside from that, let’s focus on this particular thief’s wallet. https://etherscan.io/tokentxns?a=0xfd01ca4238775fb9a026df1e9b8bad0263f61ace

If we look at the first 20+ or so wallets that were stolen from, they ALL received an Audius airdrop from this address, https://etherscan.io/address/0x683c19e621a0f107a291fdab38f80179809d61b5

Of course, later on the thief moved on to other accounts that were not part of this airdrop. But it should be very interesting to everyone looking that the thief started with all air dropped accounts that were claimed 10 months prior, all claimed from the same address.

Now, let’s take a closer look at these 4 tx from airdropped accounts that were stolen from. [Limited to two links per post, please replace (dot)io with .io]

etherscan(dot)io/tx/0x42b79d98160d595b302bed4f2a18489dc3d53332871d93a9f19efbb8ec2c2199

etherscan(dot)io/tx/0x0818e94dcdba97a7fc815301ba3bf4720228df6fef0114a1a26234ca4d64a94f

etherscan(dot)io/tx/0xccf06ff33d393687017d6efc1035d166834742342a0c26fad0dfb259ce47678f

etherscan(dot)io/tx/0xca81fb6da8fc87c15056499e82b7135b5359d8a13f0c2c211361446e3b3a243e

Look at the time of transaction …this thief stole from 4 different wallets that all happened to receive exactly 500 $AUDIO from the same airdrop address And the thief did this all in 7 MINUTES. These are huge red flags. If there was a third party independent security/forensic audit of these tx patterns, I’m sure they would discover more anomalies which would point to anything other than a targeted phishing attack

Byte, I appreciate your responses and playing devil’s advocate.It’s needed in order to have a robust discussion like we are having now. I believe you also recognized the strangeness of these tx address and patterns while discussing on discord, does this not seem strange to you?

Hi Byte, you are correct, Audius still does not have 2FA. Which makes this issue even more egregious. You are also correct that third party wallet support was added, but the security vulnerability on the promoted on-platform wallet was still there.

Aside from that, let’s focus on this particular thief’s wallet.
Wallet Address: 0xfd01ca4238775fb9a026df1e9b8bad0263f61ace

If we look at the first 20+ or so wallets that were stolen from, they ALL received an Audius airdrop from this address,
Wallet Address: 0x683c19e621a0f107a291fdab38f80179809d61b5

Of course, later on the thief moved on to other accounts that were not part of this airdrop. But it should be very interesting to everyone looking that the thief started with all air dropped accounts that were claimed 10 months prior, all claimed from the same address.

Now, let’s take a closer look at these 4 tx from airdropped accounts that were stolen from. (I can’t post etherscan links here anymore did Audius remove the ability to post etherscan links? but please search yourself)

tx: 0x42b79d98160d595b302bed4f2a18489dc3d53332871d93a9f19efbb8ec2c2199

tx: 0x0818e94dcdba97a7fc815301ba3bf4720228df6fef0114a1a26234ca4d64a94f

tx: 0xccf06ff33d393687017d6efc1035d166834742342a0c26fad0dfb259ce47678f

tx: 0xca81fb6da8fc87c15056499e82b7135b5359d8a13f0c2c211361446e3b3a243e

Look at the time of transaction …this thief stole from 4 different wallets that all happened to receive exactly 500 $AUDIO from the same airdrop address And the thief did this all in 7 MINUTES. These are huge red flags. If there was a third party independent security/forensic audit of these tx patterns, I’m sure they would discover more anomalies which would point to anything other than a targeted phishing attack

Byte, I appreciate your responses and playing devil’s advocate.It’s needed in order to have a robust discussion like we are having now. I believe you also recognized the strangeness of these tx address and patterns while discussing on discord, does this not seem strange to you?

4 Likes

Does anybody else find it extremely concerning that Audius removed the ability to post Etherscan links a couple days ago? They had someone add the host etherscan . io to a black list all while this discussion is going on. The etherscan links are invariably relevant for informational purposes.

1 Like

Yes, I do find that bizarre! Also, is the original proposal also flagged?

That being said, personally, I don’t want to accuse anyone, including the Audius team of anything, I just want to find a solution that works for the victims. Really hoping that they do the right thing here and we can find a solution together. If the proposal just “disappears” entirely however, I wouldn’t even know what to think then.

3 Likes

Yes, the original proposal, and another response of mine is now hidden and flagged. I don’t want to make assumptions, but you can’t blame us for thinking that this is an effort from Audius to stop the discussion of this important security topic.

This topic has gained solid traction and engagement from valuable members of the Audius community. In fact, it’s one of the most engaged topics since this gov board’s inception.

It’s something that is important to Audius users, current/potential investors, and of course to Audius as a company.

Is this security topic being sandbagged?

2 Likes

As a follower of the project I’m interested to see what the Audius team’s perspective is for everyone to have a better understanding of the situation and have healthy discussion.

That is really weird that the posts have been removed, as well as the etherscan links not working. I would love to know why. Something that SalT said that I think makes sense is to have a window where you can apply to be reimbursed. Perhaps a one week window or something like that. I understand why Audius doesn’t want this to be big news, and fair enough. Everyone here wants Audius to succeed!! If Audius is able to provide a one week period to be reimbursed, the cost would barely be a drop in the bucket to the Audius team, and that would satisfy all the victims who are following this thread, and the thread could be removed, if thats what the Audius team wants to do.

2 Likes

Hi yes, thanks for the response.

I did look into the TXs of the wallets a few weeks back when reading about this and I’m about to play devils advocate again as there’s something interesting about the pattern so my apologies:

I looked into all airdropped rewards and 17 wallets got 480-510 $AUDIO. This wallet received it from 12 of them. 2 of the others belong to Audius staff. So 12/15 wallets that received that amount from the airdrop sent them to this wallet. It suggests these 12 accounts performed the same actions or similar actions prior to the airdrop to be awarded that amount which could mean the person receiving this $AUDIO owned all those accounts. EDIT: (user has confirmed their $AUDIO was transferred to this wallet so theory of it being Audius owned is retracted)

(I did this research weeks ago, my numbers may be off).

Of course that’s a theory, it very much could be something in the initial airdrop contract that allowed them to do this but again these wallets have received audio from wallets that didn’t receive the airdrop so in my eyes that suggests it likely isn’t down to the contract BUT this leans further towards the possibility an issue with the hedgehog wallet.

From reading the thread and discord discussions, the options are:

  1. There’s an issue with the initial airdrop contract where funds can be accessed, but the individuals accessing the funds also have another way to get non-airdropped funds

Which points towards

  1. The hedgehog wallet has a serious issue where funds can be accessed

but that doesn’t leave out

  1. There’s phishing going on and the individual phishing also had a few Audius accounts that performed the same actions (not unlikely that they’d scam the platfotif they’re scamming individuals)

Also doesn’t eliminate

  1. Someone has a method of accessing the database where login details are (seems unlikely to me)

Again - completely devils advocate stuff so that more bases/possibilities are covered when/if Audius get more involved in the discussion.

2 Likes

Hi All,

I was airdropped 8,985 Audio about 1 year ago. I kept 1,000 in my public account in order keep the Silver badge to take part in what I believed to be a bright future for Audius. During this time I told everyone I know to check out Audius and join the community. 54 Days ago (approx. Sept. 4-5), my 1,000 Audio was sent to 0x0601bD98D929beb6E467758C395f4321C991E0cf without my permission. I followed this account and they racked up up to 355,710 $Audio within 9 days.

Maybe some people don’t care and maybe some artists don’t even know that they were affected but I was definitely planning to use that. Not to sound like a sad sack but I even told my mom and sister about it. Now they’re going to say “I told you that internet shit was a scam.”

I agree with the proposals above, especially the one about affected users applying within a certain time period and then we can move on. I originally loved Audius for the idea of taking part in governance issues and having a stake in continuous improvements but, after these last couple of weeks this platform seems more and more sketchy. But hey, just don’t lose Katy Perry’s tokens am I right?

1 Like