Fairyproof’s Analysis of the Attack on Audius
On July 23, 2022, Audius suffered a governance attack. Here is our analysis.
On July 23, 2022, Audius suffered a governance attack. Here is our analysis.
On July 23, 2022, 11:00PM UTC time, a music NFT application deployed on the BNB Chain Audius suffered a governance attack.
Its proxy contract did not properly specify a guardian or a slot for its implementation contract, causing the contract to be reinitialized.
These are the details for the attacked smart contracts:
Proxy Contract:
0x4DEcA517D6817B6510798b7328F2314d3003AbAC (BNB chain)Implementation Contract: 0x35dD16dFA4ea1522c29DdD087E8F076Cad0AE5E8 (BNB chain)
Here is the proxy contract:
Here is the implementation contract:
The code possessing the issue is as follows:
AudiusAdminUpgradeabilityProxy.proxyAdmin
Initializable.initializing
The two variables actually pointed to the same slot.
When the initialize function was called, Initializable.initializing would be set to “false”. However, in a subsequent operation, proxyAdmin was set to a value greater than 0. This became a new value for Initializable.initializing, setting it as “true” for a Boolean variable.
This “true” value successfully allowed “require(initializing)” defined in the Initializable.initalizer modifier to pass the verification before the initialize function defined in the initializer modifer was called again.
The attacker used this vulnerability to call the initialize function and set the guardian in the Community Treasure contract to be the attacking contract, successfully passing a malicious proposal.
This malicious proposal was executed to transfer 18.56 million Audius tokens to the attacking contract. The attacker then exchanged these Audius tokens to ETHs (more than $1 million) and cashed out the ETHs via Tornadao.Cash.
Additional Information:
Attacker’s Address:
0xa0c7BD318D69424603CBf91e9969870F21B8ab4c (BNB chain)Attacking Contract:
0xbdbB5945f252bc3466A319CDcC3EE8056bf2e569 (BNB chain)Attacked Contracts: Audius’ Community Treasury
Proxy Contract:
0x4DEcA517D6817B6510798b7328F2314d3003AbAC (BNB chain)Implementation Contract: 0x35dD16dFA4ea1522c29DdD087E8F076Cad0AE5E8 (BNB chain)