Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Audius is a blockchain music platform. In July of 2023, the governance was hacked.

The Audius governance contract utilizes the OpenZeppelin proxy upgrade pattern. They override the standard implementation with AudiusAdminUpgradeabilityProxy. This contract is used to change the implementation contract being used.

The contract AudiusAdminUpgradabilityProxy uses storage slot 0 for the address proxyAdmin. Additionally, the implementation contract used the OpenZeppelin Initializable contract. This contract had the variable initialized and initializing in the first few slots of the implementation contract.

The address of the proxyadmin was 0x4deca517d6817b6510798b7328f2314d3003abac. This led to both initializing and initialized to be truthy values! What does this mean? The initializer modifier would always succeed, allowing for reinitializing of the implementation contract over and over again.

This bug allowed the attacker to deploy Audius contract and change the storage state that was only intended to be set once during initialization. Using this, they were able to redefine the voting protocol and give themselves a ton of money.

To fix this vulnerability, the team used the vulnerability to patch a simple contract. Then, they were able to add the new version of the implementation that did not overlap with the proxyAdmin address for the initialize functions.

The vulnerability existed in the project for 2 years without anybody noticing. Considering the team used two well-defined and audited contracts, it is crazy that this vulnerability ever existed. Good report on the finding though!