link.png

ID:

audius-project-986

Date:

Status:

Incident Count:

July 24, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

No

info.png

Audit By:

Audits:

None

Loss Amount:

6,000,000

info.png

Recovered:

-

Rewards:

Currency:

USD, AUDIO

info.png

Audius is a fully decentralized music platform. The project reported that it experienced an unauthorized transfer of AUDIO tokens from the community treasury. Certik Alert reported that over 700 ETH was taken and sent to Tornado.cash. The attacker called the "initialize" function in the Audius governance contract to modify configurations (through re-initialization) such as "voting period", "execution delay", "guardian address".

Then the attacker submitted the malicious proposal(ID 85), then proposed and executed a malicious proposal draining 18.5M AUDIO. The profit to is converted to $ETH (worth ~$1.08M) and currently sit in hacker's address.

The post mortem indicated that this hack was caused by a collision with OpenZeppelin's Initializable contract’s initialized and initializing boolean state, which are also stored in slot 0 (the first and second bytes). Because the last byte of the proxyAdmin address is `0xac`, initialized was interpreted as a truthy value. Similarly, because the second byte of the proxyAdmin address is `0xab`, initializing was also interpreted as a truthy value. This caused the initializer() modifier to always succeed.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.