- The Audius contracts on the Ethereum mainnet were compromised due to a bug in the contract initialization code.
- This bug made it possible for the attacker to transfer about 18 million AUDIO tokens.
- There were repeated invocations of any of the functions that used the ‘initializer’ modifier.
The post-mortem report on the Audius Governance takeover was posted on the Audius Blog website on July 24. According to the blog post, “the Audius governance, staking, and delegation contracts on the Ethereum mainnet were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions.”
This bug made it possible for the attacker to take about 18 million AUDIO tokens held by the Audius governance contract at the community treasury. These tokens were then transferred to a wallet in the attacker’s control, of which he modified the dynamics of the voting system to change their staked AUDIO amounts.
The Audius governance contracts use what is known as the OpenZeppelin proxy upgradability pattern, which permits proxy upgrades to the logic contracts of the Audius Governance system. When implemented, the AudiusAdminUpgradabilityProxy makes use of storage slot 0.
On the other hand, the proxy admin for the Audius protocol was set on the governance server which implements a variety of checks on balances to prevent any unauthorized use.
“This caused a collision with OpenZeppelin’s Initializable contract’s initialized and initializing boolean state, which are also stored in slot 0 (the first and second bytes),” the blog reads.
According to the post-mortem report, “because initializing was already true, the call was not considered to be a ‘toplevelCall’, which meant that both ‘initialized’ and ‘initializing’ were left unchanged.”
This is what led to the repeated invocations of any of the functions that used the ‘initializer’ modifier.
At the end of the attack, the hacker was able to redefine voting on the Audius protocol as well as modify the governance contract’s guardian addresses. They were also able to set the governance address for both the Staking & Delegate Manager V2 contracts to that of the Audius governance contract.