Audius Governance Takeover Post-Mortem 7/23/22 | Audius Blog

Details provided:

• Audius claimed there was a bug in their implementation of the Upgradeable smart contracts pattern, implemented with OpenZeppelin
• The attacker was able to make repeated calls to contracts that are meant to be called once (initializers) which allow them to set state variables.

Contract Structure

Audius Upgradeable Exploit

Storage Layout of Audius

S   Admin(Proxy)   | Implementation
	-----------------|-----------------
0   proxyAdmin     | initialized, initializing (OZ)  <------ Storage Collision
	-----------------|-----------------
1                  | isInitialized (V2)
	-----------------|-----------------
...
	-----------------|-----------------
[0x3...bc]         |
   implementation	 |
	-----------------|-----------------

• OZ Initializable has 2 boolean values packed into storage slot 0 (2/32 bytes):

  • Initialized
  • Initializing

• Audius has a governance contract that stores the address proxyAdmin at storage slot 0. It also acts as a Proxy, so will cause collisions with the implementation contract in _delegate

• Recall how a call to an OZ upgradeable contract works:

  1. Call to Proxy
  2. Function not recognised, passed to fallback
  3. Custom fallback implements custom delegate call
  4. Delegate call to implementation (address stored at 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc)
  5. Execute call within context of implementation contract using Proxy for storage

The problem, therefore, was storing information about the Admin in the Proxy contract.

• The check requiring initializing always passes, because initially initializing is set to true
• The isTopLevelCall always returns false because initialized is true and so !initalized is false
• initalizing is never set to false
• Attacker can therefore call the initialize function, in, say Staking.sol and set the governance address to what they want