Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
E8 - Audius Gets Owned - 7/30/2022 image

E8 - Audius Gets Owned - 7/30/2022

E8 · I, Degen
Avatar
0 Plays2 years ago

https://hackmd.io/@idegen/E8-Audius-Gets-Owned

# 7/29/2022 - I, Degen - E8 - Audius Governance Attacked 

:::info
Follow--> [@idegenfm](https://twitter.com/idegenfm)
:::

:::success
Listen---> [https://idegen.fm](https://idegen.fm)
:::

#### Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, mysteries, exploits, and anything that feeds our crypto curiosity.

Welcome degens! Come one, come all.

#### Episode Summary
This week we explore the Audius governance attack. 

# I, Degen - Weekly 

1. [Sky Mavis CEO Trung Nguyen transferred $3 million worth of AXS Gov tokens just before the hack was disclosed, but he says today that claims of insider trading "are baseless and false."](https://decrypt.co/106186/axie-infinity-ceo-moved-3m-in-tokens-before-622m-hack-disclosure-report) - From Decrypt 

> funds were transferred from Nguyen’s wallet so that AXS short sellers “would not be able to front-run the news,”

2. [US Senators Push Bill to Make Small Crypto Transactions Tax-Free under $50](https://www.coindesk.com/policy/2022/07/26/us-senators-push-bill-to-make-small-crypto-transactions-tax-free/) - From Coindesk
3. [FBI detects fake crypto apps that scammed $42.7M from 244 victims](https://cryptoslate.com/fbi-detects-fake-crypto-apps-that-scammed-42-7m-from-244-victims/) - From Cryptoslate
4. [South Korean officials conclude week-long raid in Terra-LUNA case](https://cryptoslate.com/south-korean-officials-conclude-week-long-raid-in-terra-luna-case/)
5. [The recent swoon in cryptocurrency valuations “has directly impacted pricing of luxury watches from brands like Rolex and Patek Philippe,”](https://www.bloomberg.com/news/articles/2022-07-29/the-crypto-collapse-has-flooded-the-market-with-rolex-and-patek) - From Bloomberg

# Deep Dive - Audius Governance Attack 

**What happened?**
On July 23rd, 2022, Audius, a Web3 music platform, suffered a governance attack for $6M worth of AUDIO, it's native token.  

**What is Audius?**
<hunt>

**Before we jump in lets talk about what proxy contracts are and how they work.** 

Proxy contracts give the ability to upgrade or change a dapps contract logic, or even deploy clones.

High level, in this case (but not all proxy patterns), they separate the storage and logic layers of the app, where the proxy contract sits in front and handles storage, and another contract sits behind the proxy and handles the application logic. 

![](https://hackmd.io/_uploads/ryTGghxT9.png)

source: https://blog.openzeppelin.com/proxy-patterns/

Key Point:
> Whenever a contract A delegates a call to another contract B, it executes the code of contract B in the context of contract A.

> The first contract is a simple wrapper or "proxy" which users interact with directly and is in charge of forwarding transactions to and from the second contract, which contains the logic. - [OpenZepplin Docs](https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#unstructured-storage-proxies)

Instead of mapping every function one to one, the fallback function is leveraged.

> That is, the logic contract controls the proxy’s state and the logic contract’s state is meaningless. Thus, the proxy doesn’t only forward transactions to and from the logic contract, but also represents the pair’s state. The state is in the proxy and the logic is in the particular implementation that the proxy points to.

Solidity uses slots to store data. 

[Storage Collision]( 
https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#unstructured-storage-proxies)

> Using this bug, the attacker was able to call the initializer method of deployed Audius contracts that implement Initializable and change storage state that is intended to be set on

Recommended