AUDIUS Governance System Exploit Overview
On July 23, 2022, the AUDIUS governance, staking, and delegation contracts on Ethereum mainnet were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions. The bug allowed an attacker to maliciously transfer 18MM $AUDIO tokens held by the AUDIUS governance contract.
Ethereum smart-contracts are not upgradeable by default. In order to overcome this limitation developers often use “Proxy contracts”.
Proxy contracts are appointed to the “logic contract” and execute transactions by pulling the code from “logic contracts”. However Proxy contracts need to operate with their internal variables and store contract-related data which is persistent. The way data is stored in Ethereum leads to the problem known as proxy storage collisions.
Proxy contracts pull code from “logical” contracts and perform actions as if the storage structure of the proxy was identical to that of the “logic” contract, and if it does not match — mess occurs.
Most of the problems happen where developers try to get around platform limitations and use methods that are ill-suited for this. Unfortunately this is the case with Ethereum and AUDIUS. The lack of built-in contract upgradeability is a security flaw of Ethereum.
No program can be written without errors on the first try! Applying fixes and updating the code is an inevitable part of the development process.
- There was no open bug bounty or exploit reporting program in place. It was possible to create a bounty program, then the hacker could report a bug rather than exploit it.
- Unfortunately the most common practice of re-inventing upgradeability in Ethereum is the use of Proxy-contracts. We strongly encourage DAPP developers to pay attention to the caveats related to Proxy-contracts.
- Always have a bug bounty for your contracts. The more funds a contract is supposed to hold — the more important it is to adhere to the best-known security practices.
- Smart-contracts are better suitable for solving the issue of trust rather than the issue of security. Use tools as they are the best fit.