Attacker uses malicious proposal to take over Tornado Cash governance

Quick Take

  • A malicious proposal passed by the Tornado Cash DAO gave an attacker complete control over its governance system.
  • The attacker has already drained locked votes from the system and sold many of them.

An attacker managed to get a malicious proposal passed by the Tornado Cash DAO, one that handed them complete control over its governance system.

Tornado Cash is the crypto mixing service that runs on Ethereum and was sanctioned by the U.S. Treasury. Its governance system controls upgrades to the protocol and is run by those holding the project's native TORN tokens.

The governance system approved on May 20 an upgrade that was purportedly the same as a previous upgrade that had passed. Yet that wasn't true as the attacker had added an extra function, according to a pseudonymous security researcher known as Samczsun on Twitter. Once the upgrade was passed, the attacker used this function to hand themselves an extra 1.2 million votes, giving them effective control over the entire governance system.

The attacker has already used this control to their advantage. Straight away, they withdrew 10,000 votes in the form of TORN tokens and sold them all for $25,600. Then they drained the remainder of the locked votes, Samczsun said.

In total, 483,000 TORN was taken from the vault, according to on-chain analyst EmberCN. They claimed 6,000 TORN was deposited on crypto exchange Bitrue, that 379,000 was sold on-chain for $680,000 of ether and just under 100,000 TORN remains under the attacker's control.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy