# AUDIUS Governance System Exploit Overview

![](/files/ZR8CVSEvFYJtsugYYykO)

## AUDIUS exploit <a href="#id-5c05" id="id-5c05"></a>

On July 23, 2022, the AUDIUS governance, staking, and delegation contracts on Ethereum mainnet were compromised due to a bug in the contract initialization code that allowed repeated invocations of the initialize functions. The bug allowed an attacker to maliciously transfer 18MM *$AUDIO* tokens held by the AUDIUS governance contract.

You can find the [detailed post-mortem report here](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22) at AUDIUS blog.

## What happened? <a href="#id-8788" id="id-8788"></a>

Ethereum smart-contracts are not upgradeable by default. In order to overcome this limitation developers often use “Proxy contracts”.

Proxy contracts are appointed to the “logic contract” and execute transactions by pulling the code from “logic contracts”. However Proxy contracts need to operate with their internal variables and store contract-related data which is persistent. The way data is stored in Ethereum leads to the problem known as [proxy storage collisions](https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#unstructured-storage-proxies).

Proxy contracts pull code from “logical” contracts and perform actions as if the storage structure of the proxy was identical to that of the “logic” contract, and if it does not match — mess occurs.

## The root of the problem <a href="#id-0a9c" id="id-0a9c"></a>

Most of the problems happen where developers try to get around platform limitations and use methods that are ill-suited for this. Unfortunately this is the case with Ethereum and AUDIUS. The lack of built-in contract upgradeability is a security flaw of Ethereum.

**No program can be written without errors on the first try!** Applying fixes and updating the code is an inevitable part of the development process.

The lack of this essential feature leads to the clunky attempts to circumvent it which leads to [a number of problems associated with proxy contracts](https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#storage-collisions-between-implementation-versions).

## Security measures <a href="#id-7d73" id="id-7d73"></a>

* [According to decrypt.co](https://decrypt.co/105913/how-audius-was-hacked-6m-ethereum-tokens) AUDIUS contracts were audited twice (by OpenZeppelin in 2020 and Kudelski in 2021). The exploited issue was in the code for 2 years.
* **There was no open bug bounty or exploit reporting program in place.** It was possible to create a bounty program, then the hacker could report a bug rather than exploit it.
* **It would be possible to insure a smart-contract** that operates with huge quantities of funds in order to get a compensation in case of a hack. See [Callisto Insurance program](https://dexaran820.medium.com/the-new-word-in-security-of-smart-contracts-auditable-insurance-6ddc6a5b17e0)

## Conclusions <a href="#id-65e0" id="id-65e0"></a>

* Unfortunately the most common practice of re-inventing upgradeability in Ethereum is the use of Proxy-contracts. We strongly encourage DAPP developers to pay attention to the caveats related to Proxy-contracts.
* Always have a bug bounty for your contracts. The more funds a contract is supposed to hold — the more important it is to adhere to the best-known security practices.
* There is no single method to ensure that a program is completely secure. Always use [multiple methods that complement each other](https://www.ibm.com/docs/en/i/7.3?topic=security-layered-defense-approach).
* Smart-contracts are better suitable for solving the issue of trust rather than the issue of security. Use tools as they are the best fit.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://callisto-network.gitbook.io/callisto-network/hack-investigation-dept./audius-governance-system-exploit-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.