Reading 3 min Views 2 Published Updated
In addition to the existing roadblocks of the Tornado Cash decentralized cryptocurrency mixer, the attacker managed to gain complete control over the management using a malicious proposal.
On May 20 at 3:25 am ET, an attacker successfully cast 1.2 million votes for a malicious proposal. Given that the proposal received over 700,000 legitimate votes, the attacker gained complete control over the running of Tornado Cash.
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— @samczsun.com (@samczsun) May 20, 2023
The information was shared by @samczsun of research-driven technology investment firm Paradigm, who revealed that, when sharing the malicious proposal, the attacker claimed that it used a logic similar to a proposal that had previously passed by the community. However, this time, the proposal had an additional function.
As @samczsun explained:
“Once the proposal was accepted by the voters, the attacker simply used the EmergencyStop function to update the proposal’s logic to provide itself with fake votes.”
The total control over Tornado Cash governance allows the attacker to withdraw all of the locked votes, drain all of the tokens in the governance contract and brick the router. At the time of writing, the attacker “simply withdrew 10,000 votes as TORN and sold it all,” said @samczsun.
The attack comes as a reminder to cryptocurrency investors to vet proposal descriptions and logic. An active community of Tornado Cash, who goes by the name Tornadosaurus-Hex or Mr. Tornadosaurus Hex, confirmed that all funds in Governance are potentially compromised and requested all members to withdraw all funds locked in governance.
As shown above, they also attempted to roll out a contract that could potentially reverse the changes while still offering the community to withdraw their funds. Cointelegraph also received a distress call from one of the Tornado Cash community developers who confirmed the above events, stating:
“There was an attack on the protocol this morning that you already know about. All day long, another community developer and I have been thinking about what to do, but the situation is close to a hopeless one – at present, the attacker is in control.”
The team is currently in search of Solidity developers that can help save the protocol from extinction. They additionally stated that “we need contact with Binance – this exchange has more tokens than the attacker.”
Related: Allbridge offers reward to exploiter who stole $573k in flash loan attack
The former developer of Tornado Cash is reportedly working on building a new cryptocurrency mixing service from the ground up that fixes a “critical flaw” that exists in Tornado Cash.
1/ We fixed @tornadocash 😇
v0 of https://t.co/Nt4b2Tgx1D is live on @optimismFND
test out the demo, but please note:
– this is experimental code
– it has not been audited
– the trusted setup is untrusted
read the full story anon 🧵👇https://t.co/9nAU3RrgpN
— Ameen Soleimani (@ameensol) March 4, 2023
Magazine: ‘Moral responsibility’: Can blockchain really improve trust in AI?