Callisto Network
WebsiteSecurity DepartmentTwitter
  • Whitepaper
    • 🇮🇹Whitepaper (ITA)
    • 🇮🇳Whitepaper (TELUGU)
    • 🇮🇳Whitepaper (HINDI)
    • 🇨🇳Whitepaper (CN Traditional)
    • 🇭🇰Whitepaper (CN Simplified)
    • 🇫🇷Whitepaper (FR)
    • 🇵🇭Whitepaper (PH)
  • 📌Strategic Plan
  • Callisto Network Vision
  • 🚀Callisto Network Progress Tracker
  • 🗓️Ecosystem Reports
    • Callisto Monthly - February 2023
    • Callisto Monthly - January 2023
      • 🇮🇹Callisto Monthly - January 2023 (ITA)
      • 🇫🇷Callisto Monthly - January 2023 (FR)
      • 🇮🇳Callisto Monthly - January 2023 (TELUGU)
    • Callisto Monthly - December 2022
      • 🇮🇹Callisto Monthly - December 2022 (ITA)
      • 🇫🇷Callisto Monthly - December 2022 (FR)
      • 🇵🇭Callisto Monthly - December 2022 (PHI)
    • Callisto Monthly - November 2022
      • 🇫🇷Callisto Monthly - November 2022 (FR)
      • 🇮🇹Callisto Monthly - November 2022 (ITA)
      • 🇮🇳Callisto Monthly - November 2022 (TELEGU)
    • Callisto Monthly - October 2022
      • 🇮🇹Callisto Monthly - October 2022 (ITA)
      • 🇫🇷Callisto Monthly - October 2022 (FR)
      • 🇵🇭Callisto Monthly - October 2022 (PHI)
      • 🇨🇳Callisto Monthly - October 2022 (CN Simplified)
      • 🇭🇰Callisto Monthly - October 2022 (CN Traditional)
      • 🇷🇺Monthly - October 2022 (RU)
    • Callisto Monthly - September 2022
      • 🇮🇹Callisto Monthly - September 2022 (ITA)
      • 🇫🇷Callisto Monthly - September 2022 (FR)
      • 🇵🇭Callisto Monthly - September 2022 (PHI)
      • 🇨🇳Callisto Monthly - September 2022 (CN Simplified)
      • 🇭🇰Callisto Monthly - September 2022 (CN Traditional)
    • Callisto Monthly - August 2022
      • 🇮🇹Callisto Monthly - August 2022 (ITA)
      • 🇫🇷Callisto Monthly - August 2022 (FR)
      • 🇵🇭Callisto Monthly - August 2022 (PH)
    • Callisto Monthly - July 2022
      • 🇮🇹Callisto Monthly - July 2022 (ITA)
    • Callisto Monthly - June 2022
    • Callisto Monthly - May 2022
    • Callisto Monthly - April 2022
    • Callisto Monthly - March 2022
  • Technologies
    • 📈Callisto Dynamic Monetary Policy
      • Crypto-models To Overcome Inflation and Callisto Network's Approach
      • Skuld Hard Fork - Update On Progress
    • 🧊Cold Staking
      • Cold Staking And PoS Staking Comparison
    • 🪙Wrapped Callisto (ccCLO)
    • ®️DexNS 2021
    • ⛏️Proof of Work
      • ZPoW #1 - Exploiting The Block Time & Block Size
      • Callisto Network Introduces the Dynamic Gas Price
    • Ⓜ️Callisto Network Masternodes
    • 🎓Tutorials
      • Setting Up Metamask For Callisto Network
        • Update the RPC URL in MetaMask
      • How to buy Callisto with Your Credit Card
      • How to Run a Callisto Network Node?
      • Callisto Network Masternodes Set-up
    • 🌐Callisto Hub
    • 🧩Web 3.0 Infrastructure
    • 🔍Chain Inspector
  • We Fund You!
    • 💲We Fund You!
      • We Fund You Award - 1st Edition
  • Security Department
    • 🔍Auditing Department
      • Auditing Department Amendment v5
    • 📖Documentation
      • 🛡️Security Department Best Practices
      • 🪙ERC 223 Token Standard
        • ERC20 Standard Main Issue
      • 🖼️CallistoNFT Standard
        • Roadmap
      • ✖️Cross-Chain Bridges Security Model
    • Products & Services
      • 🔍Security Audits For Smart Contracts
        • Mission: Securing The Smart Contracts Ecosystem
        • Trust and Smart Contracts: Code is the Limit
    • 🤝Various Contributions
      • Ethereum Classic
        • ECIP-1092 51attack solution: PirlGuard & Callisto proposal
      • Ethereum
        • Statement regarding Geth v1.10.8 split
      • EOS
        • Page 1Chintai (EOS resource exchange) low severity issue.
        • EOS congestion 9/13/2019 and EOSPlay hack
      • Ultimate solution to 51% attacks: amend the Nakamoto consensus
  • Hack Investigation Dept.
    • Hack Investigation Department
    • Helio Exploit
    • Binance Bridge Hack
    • TempleDAO's STAX Contract Hack Investigation
    • NFT Theft Analysis
    • AUDIUS Governance System Exploit Overview
    • LUNA ‘Hardfork’ Review
  • One Earth, One Heart
    • 🌎One Earth, One Heart
    • 💚Callisto Charity Efforts
  • Community
    • 📥Callisto Network Improvement Proposals
    • 💬Callisto AMAs
      • Callisto Team's Ask Me Anything on 04/05/2023
      • Callisto Team's Ask Me Anything on 03/03/2023
      • Callisto Team's Welcome AMA on 10/11/2022
      • Callisto Team's Ask Me Anything on 10/10/2022
      • Callisto Security Team's Ask Me Anything on 02/09/2022
      • Callisto Team's Ask Me Anything on 28/07/2022
      • Dexaran's Ask Me Anything on 11/04/2022
    • 📌Get Started
  • Callisto Enterprise
    • 🪙Callisto Enterprise Token
      • Vision and Tokenomics
    • 👥Team
      • Callisto Team Motivation System
  • In The Press
    • 🟢Callisto Network
      • Ethereum, Ethereum Classic, Callisto Network, A Common History
      • Callisto Network: Three Years After Mainnet Launch
      • Czech Ethereum Killer
    • 🖼️NFTs
      • Artist Creates And Then Destroys Art To Launch CallistoNFT
      • Security Network Develops New NFT Standard To Address ERC-721 Flaws
  • Miscellaneous
    • 🧩Media Kit
Powered by GitBook
On this page
  • AUDIUS exploit
  • What happened?
  • The root of the problem
  • Security measures
  • Conclusions
  1. Hack Investigation Dept.

AUDIUS Governance System Exploit Overview

PreviousNFT Theft AnalysisNextLUNA ‘Hardfork’ Review

Last updated 2 years ago

AUDIUS exploit

On July 23, 2022, the AUDIUS governance, staking, and delegation contracts on Ethereum mainnet were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions. The bug allowed an attacker to maliciously transfer 18MM $AUDIO tokens held by the AUDIUS governance contract.

What happened?

Ethereum smart-contracts are not upgradeable by default. In order to overcome this limitation developers often use “Proxy contracts”.

Proxy contracts pull code from “logical” contracts and perform actions as if the storage structure of the proxy was identical to that of the “logic” contract, and if it does not match — mess occurs.

The root of the problem

Most of the problems happen where developers try to get around platform limitations and use methods that are ill-suited for this. Unfortunately this is the case with Ethereum and AUDIUS. The lack of built-in contract upgradeability is a security flaw of Ethereum.

No program can be written without errors on the first try! Applying fixes and updating the code is an inevitable part of the development process.

Security measures

  • There was no open bug bounty or exploit reporting program in place. It was possible to create a bounty program, then the hacker could report a bug rather than exploit it.

Conclusions

  • Unfortunately the most common practice of re-inventing upgradeability in Ethereum is the use of Proxy-contracts. We strongly encourage DAPP developers to pay attention to the caveats related to Proxy-contracts.

  • Always have a bug bounty for your contracts. The more funds a contract is supposed to hold — the more important it is to adhere to the best-known security practices.

  • Smart-contracts are better suitable for solving the issue of trust rather than the issue of security. Use tools as they are the best fit.

You can find the at AUDIUS blog.

Proxy contracts are appointed to the “logic contract” and execute transactions by pulling the code from “logic contracts”. However Proxy contracts need to operate with their internal variables and store contract-related data which is persistent. The way data is stored in Ethereum leads to the problem known as .

The lack of this essential feature leads to the clunky attempts to circumvent it which leads to .

AUDIUS contracts were audited twice (by OpenZeppelin in 2020 and Kudelski in 2021). The exploited issue was in the code for 2 years.

It would be possible to insure a smart-contract that operates with huge quantities of funds in order to get a compensation in case of a hack. See

There is no single method to ensure that a program is completely secure. Always use .

detailed post-mortem report here
proxy storage collisions
a number of problems associated with proxy contracts
According to decrypt.co
Callisto Insurance program
multiple methods that complement each other