Crypto Mixer Tornado Cash faced a major setback when an attacker gained control over its governance system by deploying a malicious contract and accessing thousands of votes. The incident was initially discovered by @samczsun, a researcher from Paradigm, a web3-focused investment firm.
According to samczsun’s findings, the attacker utilized a similar approach to a previously passed proposal, but covertly added an additional function to create their malicious proposal.
However, in a recent turn of events, the attacker has submitted a new proposal aimed at restoring the state of governance. This development was shared on the mixer’s community forum.
TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they’re giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP
— 0xdeadf4ce (@0xdface) May 21, 2023
Attacker Seizes Tornado Cash Governance Following the successful passage of the attacker’s proposal, they activated the emergencyStop function and modified the proposal logic, granting themselves 1.2 million fake votes. With over 700,000 legitimate votes, the attacker now possesses complete control over Tornado Cash’s governance system.
Having gained full control, the attacker possesses the authority to perform various actions such as withdrawing locked votes, depleting tokens in the governance contract, and potentially disrupting the router. However, they are unable to drain individual pools.
samczsun issued a warning, stating, “Be careful what you vote for! While we all know that proposal descriptions can lie, proposal logic can lie too! If you’re relying on the verified source code to remain unchanged, ensure that the contract lacks the ability to self-destruct.”
Over $2.1M TORN Tokens Stolen Shortly after compromising Tornado Cash’s contract, the attacker drained 473,000 TORN tokens (equivalent to over $2.1 million) from the governance contract, as confirmed by a tweet from Web3 media group @WhaleCoinTalk. The attacker then sold these assets on-chain and reinvested the profits back into Tornado Cash.
Tornadosaurus-Hex, an active member of the Tornado Cash community, acknowledged the attack’s impact on all funds within governance and urged members to withdraw their locked assets.
While encouraging users to retrieve their funds, Tornadosaurus-Hex proposed a potential solution to revert the changes. They deployed a contract designed to undo the modifications made by the attacker. The community member requested others to review the solution and propose alternatives to address the situation.
As expected, the news of the attack led to a significant drop in the value of TORN tokens. After reaching $7.3 on May 20, the token experienced a decline of approximately 40% in the subsequent days and is currently valued at $4.5.
