AUDIUS Governance System Exploit Overview

AUDIUS exploit

On July 23, 2022, the AUDIUS governance, staking, and delegation contracts on Ethereum mainnet were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions. The bug allowed an attacker to maliciously transfer 18MM $AUDIO tokens held by the AUDIUS governance contract.

What happened?

Ethereum smart-contracts are not upgradeable by default. In order to overcome this limitation developers often use “Proxy contracts”.

Proxy contracts pull code from “logical” contracts and perform actions as if the storage structure of the proxy was identical to that of the “logic” contract, and if it does not match — mess occurs.

The root of the problem

Most of the problems happen where developers try to get around platform limitations and use methods that are ill-suited for this. Unfortunately this is the case with Ethereum and AUDIUS. The lack of built-in contract upgradeability is a security flaw of Ethereum.

No program can be written without errors on the first try! Applying fixes and updating the code is an inevitable part of the development process.

Security measures

• There was no open bug bounty or exploit reporting program in place. It was possible to create a bounty program, then the hacker could report a bug rather than exploit it.

Conclusions

• Unfortunately the most common practice of re-inventing upgradeability in Ethereum is the use of Proxy-contracts. We strongly encourage DAPP developers to pay attention to the caveats related to Proxy-contracts.

• Always have a bug bounty for your contracts. The more funds a contract is supposed to hold — the more important it is to adhere to the best-known security practices.

• Smart-contracts are better suitable for solving the issue of trust rather than the issue of security. Use tools as they are the best fit.