E8 - Audius Gets Owned - 7/30/2022

Download MP3
This week we dig into the Audius project and the fascinating governance attack on 7/23/2022, where a storage collision bug was leveraged to maliciously delegate AUDIO tokens and pass a governance proposal that drained the community fund of ~6.1MM USD worth of AUDIO tokens.
https://hackmd.io/@idegen/E8-Audius-Gets-Owned

# 7/29/2022 - I, Degen - E8 - Audius Governance Attacked 

:::info
Follow--> [@idegenfm](https://twitter.com/idegenfm)
:::

:::success
Listen---> [https://idegen.fm](https://idegen.fm)
:::

#### Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, mysteries, exploits, and anything that feeds our crypto curiosity.

Welcome degens! Come one, come all.

#### Episode Summary
This week we explore the Audius governance attack. 

# I, Degen - Weekly 

1. [Sky Mavis CEO Trung Nguyen transferred $3 million worth of AXS Gov tokens just before the hack was disclosed, but he says today that claims of insider trading "are baseless and false."](https://decrypt.co/106186/axie-infinity-ceo-moved-3m-in-tokens-before-622m-hack-disclosure-report) - From Decrypt 

> funds were transferred from Nguyen’s wallet so that AXS short sellers “would not be able to front-run the news,”

2. [US Senators Push Bill to Make Small Crypto Transactions Tax-Free under $50](https://www.coindesk.com/policy/2022/07/26/us-senators-push-bill-to-make-small-crypto-transactions-tax-free/) - From Coindesk
3. [FBI detects fake crypto apps that scammed $42.7M from 244 victims](https://cryptoslate.com/fbi-detects-fake-crypto-apps-that-scammed-42-7m-from-244-victims/) - From Cryptoslate
4. [South Korean officials conclude week-long raid in Terra-LUNA case](https://cryptoslate.com/south-korean-officials-conclude-week-long-raid-in-terra-luna-case/)
5. [The recent swoon in cryptocurrency valuations “has directly impacted pricing of luxury watches from brands like Rolex and Patek Philippe,”](https://www.bloomberg.com/news/articles/2022-07-29/the-crypto-collapse-has-flooded-the-market-with-rolex-and-patek) - From Bloomberg

# Deep Dive - Audius Governance Attack 

**What happened?**
On July 23rd, 2022, Audius, a Web3 music platform, suffered a governance attack for $6M worth of AUDIO, it's native token.  

**What is Audius?**
<hunt>

**Before we jump in lets talk about what proxy contracts are and how they work.** 

Proxy contracts give the ability to upgrade or change a dapps contract logic, or even deploy clones.

High level, in this case (but not all proxy patterns), they separate the storage and logic layers of the app, where the proxy contract sits in front and handles storage, and another contract sits behind the proxy and handles the application logic. 

![](https://hackmd.io/_uploads/ryTGghxT9.png)

source: https://blog.openzeppelin.com/proxy-patterns/

Key Point:
> Whenever a contract A delegates a call to another contract B, it executes the code of contract B in the context of contract A.

> The first contract is a simple wrapper or "proxy" which users interact with directly and is in charge of forwarding transactions to and from the second contract, which contains the logic. - [OpenZepplin Docs](https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#unstructured-storage-proxies)

Instead of mapping every function one to one, the fallback function is leveraged.

> That is, the logic contract controls the proxy’s state and the logic contract’s state is meaningless. Thus, the proxy doesn’t only forward transactions to and from the logic contract, but also represents the pair’s state. The state is in the proxy and the logic is in the particular implementation that the proxy points to.

Solidity uses slots to store data. 

[Storage Collision]( 
https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#unstructured-storage-proxies)

> Using this bug, the attacker was able to call the initializer method of deployed Audius contracts that implement Initializable and change storage state that is intended to be set only once in initialization. 

In other words:

>the attacker was able to reinitialise governance contracts, delegating a large number of governance tokens to themself and bypassing safeguards meant to limit malicious proposals.

So, storage collision leads to deployment of malicious governance contract, and massive fraudulent token delegation which was used to pass a malcious governance proposal to send AUDIO tokens from the Audius community pool to the attacker. 

Quick massive slippage sale of 6.1MM worth of AUDIO on Uniswap for ~1MM USD/704 ETH, ETH into TornadoCash. 

Take aways:

- super fast response, vuln mitigated within a few hours of discovery.  

- > These contracts were deployed in October 2020 and this vulnerability has been live in the wild since that time. - [audius-governance-takeover-post-mortem](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22)
- Human angle - why swap 6MM for 1MM? In a hurry? 

# Weekly Freestyle 
    Password Manager Nightmare 

# Who tried to own you this week? 
    Evolving SMS scams, likely from Ledger breach 
    
# References 
[Audius Post Mortem](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22) 

[OpenZepplin Audius Contracts Audit](https://blog.openzeppelin.com/audius-contracts-audit/)

[Rekt News Write Up](https://rekt.news/audius-rekt/)

https://kubertu.com/blog/solidity-storage-in-depth/

[Malicious Transaction](https://oko.palkeo.com/0xfefd829e246002a8fd061eede7501bccb6e244a9aacea0ebceaecef5d877a984/)

[OG OZ Article on Proxy Patterns from 2018](https://blog.openzeppelin.com/proxy-patterns/)
E8 - Audius Gets Owned - 7/30/2022
Broadcast by