Attacker uses malicious proposal to take over Tornado Cash governance

Crypto Ecosystems • May 21, 2023, 5:05AM EDT
The Block

Quick Take

  • A malicious proposal passed by the Tornado Cash DAO gave an attacker complete control over its governance system.
  • The attacker has already drained locked votes from the system and sold many of them.

An attacker managed to get a malicious proposal passed by the Tornado Cash DAO, one that handed them complete control over its governance system.

Tornado Cash is the crypto mixing service that runs on Ethereum and was sanctioned by the U.S. Treasury. Its governance system controls upgrades to the protocol and is run by those holding the project's native TORN tokens.

The governance system approved on May 20 an upgrade that was purportedly the same as a previous upgrade that had passed. Yet that wasn't true as the attacker had added an extra function, according to a pseudonymous security researcher known as Samczsun on Twitter. Once the upgrade was passed, the attacker used this function to hand themselves an extra 1.2 million votes, giving them effective control over the entire governance system.

The attacker has already used this control to their advantage. Straight away, they withdrew 10,000 votes in the form of TORN tokens and sold them all for $25,600. Then they drained the remainder of the locked votes, Samczsun said.

In total, 483,000 TORN was taken from the vault, according to on-chain analyst EmberCN. They claimed 6,000 TORN was deposited on crypto exchange Bitrue, that 379,000 was sold on-chain for $680,000 of ether and just under 100,000 TORN remains under the attacker's control.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Binance said it would stop deposits and withdrawals of TORN, according to Wu Blockchain, while Justin Sun said on Twitter that deposits and withdrawals of the token remain open on Huobi.

Samczsun noted that with the control over the governance system, the attacker can drain all of the tokens in the governance contract and effectively stop the router from working, a core part of how the protocol operates. On the flip side, the reseacher noted that the attacker isn't able to drain the funds that are held within the protocol — such as ether that's being used for mixing — except for one pool on Gnosis Chain, which is upgradeable.

The price of TORN fell from a high of $7.3 yesterday to as low as $3.75 today. It has since rebounded to $4.60.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Tim is the Editor-In-Chief of The Block. Prior to joining The Block, Tim was a news editor at Decrypt. He has earned a bachelor's degree in philosophy from the University of York and studied news journalism at Press Association Training. Follow him on X @Timccopeland.