Audius Governance Exploit

Proof of Concept of Audius Protocol Exploit on 2022-07-23. This is for educational purposes only. This repo have two exploit methods.

AudiusExploitWithProposal: The same method as the attacker

AudiusExploitWithoutProposal: A gas-efficient method executed in a single transaction

Test

$ forge test

Compare

	`AudiusExploitWithProposal`	`AudiusExploitWithoutProposal`
Transactions	3	1
Gas	1622538	590968

Post-Mortem

Official post-mortem: https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22

Storage collision

proxyAdmin = 4d ec a5 17 ...  30 03 ab ac
                                    │  │
                                    │  └─ initialized (true)
                                    └── initializing (true)

`AudiusExploitWithProposal`

Initialize Governance, Staking, and DelegateManagerV2 contracts via a vulnerability of storage collision. The address of the governance token change to the attacker's contract.
Submit the proposal that transfers all AUDIO tokens in the governance contract to the attacker's contract.
Stake tokens that have a quorum.
Vote for the proposal.
Evaluate the proposal.
Swap from AUDIO to ETH on Uniswap.
Transfer ETH to the attacker.

The transaction of 1, 2, and 3 is 0xfefd829e246002a8fd061eede7501bccb6e244a9aacea0ebceaecef5d877a984

The transaction of 4 is 0x3c09c6306b67737227edc24c663462d870e7c2bf39e9ab66877a980c900dd5d5

The transaction of 5 is 0x4227bca8ed4b8915c7eec0e14ad3748a88c4371d4176e716e8007249b9980dc9

The transaction of 6 and 7 is 0x82fc23992c7433fffad0e28a1b8d11211dc4377de83e88088d79f24f4a3f28b3

`AudiusExploitWithoutProposal`

Initialize Governance contract. The address of the governance guardian change to the attacker's contract address.
Transfer all AUDIO tokens in the governance contract to the attacker's contract via the guardianExecuteTransaction function.
Swap and transfer.