Audius Hack Attack: SmartState overview
On July 23, 2022, Audius contracts for management, staking, and delegation on Ethereum were hacked using a bug in the contract initialization code that allowed the initialization functions to be called repeatedly.
This bug allowed the hacker to maliciously transfer more than 18M $AUDIO tokens stored in the Audius management contract (“community treasury”) to a wallet under their control and modify the voting system dynamics to illegally change the amount of $AUDIO in the network.
An audit of the smart contract set was conducted by the OpenZeppelin team in 2020, and some additional modifications separate from the affected vulnerable code were tested by Kudelski a year later. Unfortunately, the vulnerability was not discovered in either case.
Using a bug that allowed any function using the `initializer` modifier to be called again, the attacker was able to call the initializer method of deployed Audius contracts implementing Initializable and change the state of the repository, which should only be set once during initialization. Specifically, the attacker called initialize in the Governance, Staking, and DelegateManagerV2 contracts.
Exploiting this, the attacker was able to override voting in the Audius protocol and change the guardian address of the governance contract to set the governance address of both the Staking & DelegateManagerV2 contracts to a custom Audius governance contract deployment address and abuse the Audius protocol:
- Illegal delegation of $10,000,000,000,000,000,000 $AUDIO to themselves in an attempt to vote on governance
- Another illegal delegation of $10,000,000,000,000,000 $AUDIO to themselves in an attempt to conduct a management vote, which did pass and the funds were transferred.
- A 18,564,497 $AUDIO tokens transfer from the community treasury.
The Audius team was able to write and apply a patch to quickly regain control of the protocol before the attacker could do more damage.
For more tech info about the hack you can check the Audius Post-Mortem.
A quick overview from the SmartState team
Not every project writes their smart contracts code from the ground up. In the Audius case, verified publicly known contracts were used as source code. In case of modifying someone else’s code, it is necessary to pay the closest attention to the logical processes architecture, as it is more than likely that when the code is changed “from above”, logical inconsistencies, bugs and vulnerabilities will appear.
These kinds of errors appear during audits more often than we would like to see. Particularly using the example of Audius, around any element that allows to change something in a cascade fashion, there must be a check. It is a question of logical architecture consistency of the code, the integrity and coherence of which should always be checked as part of the audit.
At SmartState, we use manual testing to detect logical errors of this kind, since automated tests are only good at detecting technical errors.
Stay tuned and know more about us and what we provide on our:
