Through a malicious proposal, an adversary was able to seize complete control of the governance of the decentralized cryptocurrency mixer Tornado Cash, thereby compounding its existing obstacles.
At 3:25 EST on May 20, an attacker successfully granted 1,250,000 votes to a malicious proposal. Given that the bid received over 700,000 valid votes, the assailant gained complete control of Tornado Cash’s governance.
The information was shared by @samczsun of the research-driven technology investment firm Paradigm, who revealed that when sharing the malicious proposal, the attacker claimed that it employed a similar logic to a proposal previously approved by the community.
This time, however, the proposal served an additional purpose.
As explained by @samczsun:
“Once the proposal was passed by voters, the attacker simply used the emergencyStop function to update the proposal logic to grant themselves the fake votes.”
The complete control over Tornado Cash’s governance permits an attacker to withdraw all locked votes, deplete all tokens from the governance contract, and brick the router.
As of writing, the attacker “simply withdrew 10,000 votes as TORN and sold them all,” according to @samczsun.
The attack serves as a reminder to cryptocurrency investors to examine proposal descriptions and logic thoroughly.
Tornado Cash’s active community, known as Tornadosaurus-Hex or Mr. Tornadosaurus-Hex, has confirmed that all funds in Governance are potentially compromised and has requested that all members withdraw all funds locked in Governance.
As shown above, they also attempted to deploy a contract that could potentially undo the alterations while still advising the community to withdraw its funds.
The team is currently searching for Solidity developers who can aid in the protocol’s survival.
In addition, they stated, “We need to make contact with Binance; this exchange has more tokens than the attacker.”
A former Tornado Cash developer is reportedly creating a brand-new crypto mixing service that addresses the “critical flaw” in Tornado Cash.
The developer hopes the proposed solution will enable “the community to defend against hackers abusing the anonymity sets of honest users without requiring blanket regulation or sacrificing crypto ideals.”