Audius: Storage collision in upgradeable proxy — governance contract reinitializable via AudiusAdminUpgradabilityProxy slot 0 collision with OpenZeppelin Initializable; attacker reinitializes, inflates own voting power, passes malicious treasury transfer proposal
Audius lost $6M in AUDIO tokens when an attacker exploited an OpenZeppelin storage slot collision to reinitialize the governance contract, delegate 10 trillion voting tokens to themselves, and pass a treasury transfer proposal — all without owning a single AUDIO token legitimately.
Summary #
Audius suffered a Web3 Music Platform / DAO Governance on 2022-07-23, resulting in a loss of approximately $6M.
What happened #
Audius lost $6M in AUDIO tokens when an attacker exploited an OpenZeppelin storage slot collision to reinitialize the governance contract, delegate 10 trillion voting tokens to themselves, and pass a treasury transfer proposal — all without owning a single AUDIO token legitimately.
Linked factors #
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — storage collision survived review]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the reinitialize and delegated-vote governance action was the core mechanism]