A malicious actor recently exploited Tornado Cash’s governance, enabling them to seize total control. This could potentially allow them to retrieve all the secured votes, empty the tokens held in the governance contract, and disable the router.
Tornado Cash, a decentralized crypto mixer, has faced another setback due to this incident. An attacker cunningly secured full control over the platform’s governance via a devious proposal.
The incident occurred on May 20 at 3:25 ET, when the attacker successfully attributed 1.2 million votes to a nefarious proposal. The proposal had already amassed over 700,000 valid votes, thus enabling the attacker to monopolize Tornado Cash‘s governance.
How was Tornado Cash’s governance exploited?
The disclosure was provided by @samczsun, affiliated with Paradigm, a research-oriented technology investment firm. He exposed the attacker’s claim that the malicious proposal utilized a similar logic to one that the community had previously accepted. Yet, this particular proposal contained an added function.
According to @samczsun, Tornado Cash’s governance was essentially annihilated on 2023/05/20 at 07:25:11 UTC. Through a crafty proposal, the attacker allotted themselves 1,200,000 votes. Since this number exceeds the approximate 700,000 authentic votes, they now wield absolute control.
What are the implications of this for Tornado Cash?
The assailant, by seizing control of the governance, can:
Retrieve all secured votes
Empty all tokens contained in the governance contract
Disable the router
Nonetheless, the attacker is still unable to:
Deplete individual pools
What caused this event?
When the malicious actor formulated their deceptive proposal, they alleged it was based on the same logic as a previously approved proposal. However, this wasn’t entirely accurate because they incorporated an additional function.
Upon voter approval of the proposal, the attacker leveraged the emergencyStop function to modify the proposal’s logic, which in turn awarded them with counterfeit votes.
The attacker’s complete dominance over Tornado Cash’s governance empowers them to retrieve all locked votes, empty the governance contract of all tokens, and disable the router. As per @samczsun, at the time of reporting, the attacker had “simply withdrawn 10,000 votes as TORN and subsequently liquidated them all.”
This incident serves as a crucial reminder to cryptocurrency investors to thoroughly scrutinize proposal descriptions and their underlying logic. A prominent member of the Tornado Cash community, known as Tornadosaurus-Hex or Mr. Tornadosaurus Hex, has confirmed the potential compromise of all funds in Governance. He has urged all members to withdraw any funds currently secured in governance.
The Tornado Cash community developer
They also attempted to set up a contract that might potentially reverse the changes, all the while advising the community to withdraw their funds. A distress signal from a Tornado Cash community developer, who verified these incidents, stated:
“We were aware of the protocol attack this morning. A fellow community developer and I have been contemplating solutions all day, but the situation seems nearly hopeless – as it stands, the attacker holds control over Governance.”
Currently, the team is seeking Solidity developers who can help prevent the protocol’s imminent demise. They have also expressed a need for communication with Binance, citing that this exchange possesses more tokens than the attacker.
A previous Tornado Cash developer is said to be in the process of creating a novel crypto mixing service from the ground up, aimed at addressing the “critical flaw” inherent in Tornado Cash.
The developer envisions that this solution will enable the community to protect itself from hackers who exploit the anonymity sets of honest users, without necessitating overarching regulation or compromising on crypto principles.
Zimbabwe’s central bank is launching a digital currency backed by gold.
They plan to start selling these digital coins to investors on May 8th, 2023. Individual buyers can get them for at least $10, while companies and other groups need to spend a minimum of $5,000.
The Reserve Bank of Zimbabwe announced that people can buy these gold-backed digital coins with U.S. dollars or local currency.
However, if using local currency, the price will be 20% higher than the average market rate. Investors can join in and buy these coins starting May 8th, but the opportunity will end two days later.
The “willing-buyer willing-seller interbank mid-rate” is a middle point between the rates banks are ready to buy and sell different currencies to one another.
It depends on factors like how much of a currency is available and how much people want it. This rate helps set prices for many financial deals, and banks and other financial institutions often use it as a reference.
On April 28th, the Reserve Bank of Zimbabwe shared their plans to create a digital currency supported by gold, which can be used as official money in the country.
Zimbabwe has faced issues with unstable currency and high inflation for over a decade. After a period of extreme inflation, the country started using the U.S. dollar in 2009. Nigeria was the first African country to introduce its own digital currency, called the eNaira, in 2021.
Zimbabwe and hyperinflation
This new digital currency is part of Zimbabwe’s efforts to strengthen its local currency. Zimbabwe has been trying hard to overcome the effects of hyperinflation over the past decade.
In 2009, Zimbabwe replaced its valueless local currency with the U.S. dollar. However, their economy has faced difficulties due to a significant shortage of U.S. dollars in the country.
In early 2019, Zimbabwe’s central bank revealed plans to reintroduce the Zimbabwe dollar as legal tender, after using the US dollar and seven other global currencies for a decade. The reason for this change was that extreme hyperinflation had severely weakened the local currency.
However, many people ignored this, the black market flourished, and the local currency devalued quickly. The government then allowed the use of the U.S. dollar again.
Due to the previous severe inflation, many people now prefer to find scarce U.S. dollars on the illegal market for their savings or daily transactions. Confidence in the Zimbabwe dollar is so low that numerous retailers and even some government institutions don’t accept it.
On the official market, the exchange rate is slightly above 1,000 Zimbabwe dollars to the U.S. dollar. But on the thriving illegal street market, it’s about double that amount in local currency.
Zimbabwe has tried unusual ideas to prevent its currency from losing value.
In July 2022, Zimbabwe introduced gold coins as legal tender to stabilize the local currency and preserve its value. However, many people found them too expensive to purchase everyday items like bread.
In March 2023, the Monetary Policy Committee approved a plan to support Zimbabwe’s local currency.
This came eight months after the country introduced gold coins as a way to maintain the currency’s value. This plan seemed to have worked. In January 2023, according to the Committee’s monthly report, the price of gold increased by 5.7% (from US$1,795.97 to US$1,898.95 per ounce). While the price in February has slightly retreated (by 2.3%), the Committee decided to go through with its plan.
According to the bank’s statement, the pricing of the gold-backed tokens in Zimbabwe will be based on international gold prices set by the London Bullion Market Association.
Both Mastercard and Visa continue to expand their presence in the crypto sector with new initiatives and collaborations.
Visa’s crypto division is building the “next generation of products” for digital commerce and is seeking to hire software engineers with Web3 and blockchain experience.
Mastercard launches “Mastercard Crypto Credential,” a Web3 user verification solution designed to enhance user verification standards and reduce opportunities for bad actors in the digital asset space.
Mastercard partners with crypto wallet providers Bit2Me, Lirium, Mercado Bitcoin, and Uphold, as well as blockchains Aptos, Avalanche, Polygon, and Solana.
Visa is paving the way for the mainstream adoption of stablecoin
Visa is working on a new crypto project that aims to make public blockchain networks and stablecoin payments more popular and widely used.
As a major global payment company, Visa is looking into how cryptocurrencies can be helpful by focusing on a new plan related to stablecoin payments. On April 24, Cuy Sheffield, the person in charge of crypto at Visa, shared news about this new project on Twitter.
We have an ambitious crypto product roadmap @Visa and just opened a few reqs for senior software engineers to help us drive mainstream adoption of public blockchain networks and stablecoin payments. https://t.co/UQRJNcOJtB
Visa is working on a new crypto project that aims to make blockchain networks and stablecoin payments more common and widely accepted. Sheffield, who’s in charge of the project, mentioned this in a tweet.
On April 20, Visa shared a job ad, saying they’re creating new, advanced products to help with everyday digital shopping.
To create this product, Visa wants to hire software engineers who know about programming, backend systems, and Web3 technologies. Sheffield tweeted that they’re especially interested in those with experience using Github Copilot and other AI tools for writing and fixing smart contracts.
Ideal candidates should know about layer 1 and layer 2 solutions and have experience with Solidity, a programming language used for smart contracts on the Ethereum Network. Solidity helps create smart contracts on blockchain platforms and keeps track of transactions in the system.
The job also needs candidates to know about different types of distributed ledger networks (public and permissioned), security measures, handling private keys, and new improvements in Ethereum, like ERC-4337.
Visa, one of the biggest payment companies, started getting involved with crypto in 2020. They teamed up with blockchain company Circle to allow USD Coin (USDC) stablecoin on some credit cards.
Visa has been slowly growing its crypto services, but they stopped some new partnerships because of the 2022 crypto market downturn and big failures like Celsius and FTX.
Mastercard is enhancing user verification and strengthening security in the digital asset space
Mastercard’s new approach focuses on offering safe transactions between users, verified based on the company’s standards.
The worldwide financial company, Mastercard, introduced a new Web3 solution to improve user verification and limit chances for wrongdoers in the digital asset area.
They announced the “Mastercard Crypto Credential” solution on April 29. In a video shared on Twitter, the company explained that they are creating a method for Web3 and blockchain services to ensure secure transactions between users, following Mastercard’s verification standards.
With this solution, users get a unique “Mastercard crypto credential” identifier, allowing them to quickly check if a receiving address is approved by Mastercard and follows the company’s rules. Mastercard’s solution also supports regulatory compliance by exchanging important metadata needed to meet requirements. This helps limit chances for wrongdoers and reduces the risk of losing funds permanently.
If any bad actors manage to get a unique identifier, Mastercard can quickly take away their verification if they’re found involved in harmful activities. The company has partnered with many others for this solution:
For crypto wallets, they’ve joined forces with Bit2Me, Lirium, Mercado Bitcoin, and Uphold.
For blockchains, they’ve teamed up with Aptos, Avalanche, Polygon, and Solana.
Mastercard also plans to use CipherTrace’s services, including CipherTrace Traveler, to verify addresses and ensure compliance with the Travel Rule for cross-border transactions.
Over the past few years, Mastercard has been increasing its involvement in the crypto sector. Recently, they announced a nonfungible token (NFT) musician accelerator program in partnership with Polygon.
The program provides free access to resources, unique AI tools, and other experiences for holders of Mastercard’s Music Pass NFT until the end of April.
The 2020-created regulatory package now awaits the European Council’s approval before being enforced. Following two previous postponements, the European Parliament has held the final vote on the Markets in Crypto-Assets Act (MiCA).
The legislation, initially proposed in 2020, must be approved by the European Council before taking effect.
The vote took place on April 20. Stefan Verger, the European Parliament member and crypto advocate, said this to be a milestone for the crypto industry.
What’s the point of the Markets in Crypto-Assets Act (MiCA)?
MiCA aims to establish standardized regulations and harmonized rules for crypto assets across the European Union (EU), providing legal certainty for the crypto industry and investors.
The regulation will set guidelines for the operations, structure, and governance of digital asset token issuers and impose rules on transparency and disclosure requirements for crypto issuance and trading.
MiCA’s specific provisions regarding stablecoins will be enforced in July 2024, while other provisions, including those for crypto asset service providers, will come into effect in January 2025.
The regulation has been met with cautious optimism. However, the regulations mentioned in the 400-page document have also presented concerns by specialists.
For instance, the current draft, which was submitted to vote, does not mention decentralised finance (DeFi), address the growing crypto lending and staking sector, or establish rules for nonfungible tokens.
The industry speaks strongly for the need for cooperation between governments, regulators, and industry stakeholders. This was one of the topics at Paris Blockchain Week 2023.
While the future is uncertain, EU officials say that MiCA should help mitigate the negative impacts of incidents such as FTX’s insolvency in the future.
Limitation of MiCA
MiCA will become the first comprehensive pan-European crypto framework, set to take effect in 2024. During the latter half of last year, when most of the MiCA text had been drafted, the industry experienced several shocks, creating new challenges for regulators.
However, given the rapid expansion and dynamic nature of the crypto industry, there will always be new issues that will need to be addressed.
This raises the question of whether MiCA, given its current imperfections, can be considered a truly “comprehensive framework” a year from now.
More importantly, will it be an effective set of rules to prevent future failures similar to those involving TerraUSD or FTX?
EU DeFi regulations need to improve
A significant oversight in the MiCA is its treatment of decentralised finance (DeFi). The current draft largely omits any mention of this more recent organisational and technological development in the crypto space, which could pose a problem when MiCA is implemented.
If and when more users turn to DeFi, after the countless failures of the centralized platforms, customers will need regulations to receive protection. And there’s also the money laundering issue. However, given the decentralisation of DeFi, regulating this branch is a huge hurdle for authorities. Customers are still new to the crypto market, and many take their first contact using centralised exchanges.
But the absence of a specific section devoted to DeFi does not imply it is impossible to regulate. DeFi is essentially a collection of derivatives, bonds, loans, and equity financing presented as something new and innovative. In this sense, industry thought leaders believe that the yield-bearing, lending, and borrowing of collateralised crypto products are areas of interest for investment and commercial banks and should be regulated similarly. In this context, the suitability requirements outlined in MiCA could be helpful. For example, DeFi projects might be classified as providing crypto asset services in MiCA’s terminology.
Lending and staking
DeFi might be the most prominent, but it is not the only shortcoming of the forthcoming MiCA. The EU framework also neglects to address the burgeoning sectors of crypto lending and staking.
Considering recent failures involving lending giants like Celsius and the increasing attention of American regulators to staking operations, EU lawmakers will need to develop appropriate regulations as well.
The market collapse last year was driven by poor practices in this space, such as weak or non-existent risk management and reliance on worthless collateral.
On the other side of the financial system are banks. Legacy commercial or investment banks and even “traditional” fintech companies face more stringent regulations. Some believe the EU should provide a standard that should apply to all these services and products, which includes both investment banks and crypto platforms offering lending and staking services.
Non-fungible tokens (NFTs) are another area to monitor. In August 2022, European Commission Adviser Peter Kerstens revealed that despite the lack of a specific definition in MiCA, NFTs would be regulated like cryptocurrencies in general. In practice, this could imply that NFT issuers would be considered crypto asset service providers and required to submit regular reports of their activities to the European Securities and Markets Authority through their local governments.
Is the EU’s regulation (MiCA) a good thing?
While MiCa still has some unresolved issues, the industry is moving forward and helping legitimise the market.
However, it’s necessary that European lawmakers keep pace with regulatory updates. There’s a need for a more robust approach to some of the technical standards and guidelines currently being developed as part of the MiCA regime. The process of developing and putting these regulations in place is also slow in the EU.
On the other hand, the EU has legislation for the crypto industry, whereas other economic powers do not.
Following numerous postponements, Ethereum validators are now able to retrieve their staked Ether and associated rewards from the Ethereum mainnet. The Shapella hard fork has been successfully implemented on the Ethereum mainnet, enabling validators to withdraw their staked Ether from the Beacon Chain.
The highly anticipated Shapella update on Ethereum has been launched, introducing the much-awaited new feature, the Ether unstaking. The Ethereum community has expressed various reactions to the latest update in the ecosystem. The term “Shapella” is a combination of “Shanghai” and “Capella,” referring to simultaneous upgrades. This hard fork marks a significant milestone in Ethereum’s development, generating excitement among community members for the network’s future.
The highly anticipated update occurred at 10:27 pm UTC on April 12, during epoch number 194,048. In the initial hour following the hard fork, Ethereum block explorer beaconchai.in reported that 12,859 Ether were released through 4,333 withdrawals.
Ether staking rewards are withdrawn
At present, approximately 44% of validators, equating to 248,043 out of 559,549 active validators, have the option to request a partial or complete withdrawal.
Most of the current withdrawals range from 2.8 to 3.2 ETH, indicating that primarily staking rewards are being withdrawn at this time. Data from Rated Network Explorer reveals that just before the Shapella hard fork was implemented, 3,996 validators joined the exit queue.
Based on data from blockchain analytics company Nansen, crypto exchange Huobi possesses the most significant portion of withdrawable Ether at 30%. The decentralized autonomous organization PieDAO follows with a 17.7% share.
Nansen data indicates that 284,622 Ether from 7,948 validators are awaiting complete withdrawal. The price of Ether experienced minimal fluctuations during the first hour after the hard fork, as forecasted in an April 11 report by blockchain intelligence platform Glassnode. In theory, the hard fork could unlock 18.1 million Ether on the Beacon Chain, which is equivalent to over $34.8 billion.
However, the Ethereum Foundation has implemented several measures to prevent a sudden influx of ETH into the market. Glassnode’s report projected that less than 1% of the total amount would be released during the first week, and the 12,859 Ether unlocked within the first-hour accounts for a mere 0.07% of the total Ether staked on the Beacon Chain.
As for the market, the predictions are optimistic. The capacity of Ether to surpass resistance levels has led some analysts to predict a $3,000 price target in Q2 2023. Data from analytics provider Santiment reveals that whale accumulation remains robust, increasing by 0.5% in March.
This positive buying activity could support on-chain data indicating that Ether sell pressure following the Shanghai hard fork will be insignificant.
Ethereum Investment Proposal EIP-4895 facilitated the transfer of staked Ether from the Beacon Chain to the Ethereum Virtual Machine (EVM). This is known as the execution layer, thereby enabling withdrawals. This update on the Ethereum blockchain represents the most substantial upgrade since the Merge on September 15 and brings Ethereum one step closer to achieving a fully operational proof-of-stake system.
The community celebrates the Ethereum Shapella upgrade
During the Shapella watch party organized by the Ethereum Foundation team, Ethereum co-founder Vitalik Buterin expressed that the network is currently in a “really good place.” He said the most challenging and rapid aspects of the Ethereum protocol’s transition have essentially concluded. There are still substantial tasks to be accomplished, but they can proceed at a more relaxed pace.
In celebration of the new update, crypto singer Jonathan Mann performed a song at the Shapella watch party.
As some community members celebrated the event, others focused on the network’s future prospects. Ethereum community member Anthony Sassano highlighted the next significant feature, EIP-4844, which aims to improve the scalability of rollups on Ethereum.
The Shapella update is expected to attract more institutional investors to Ethereum.
The U.S. Treasury warns about DeFi. But they acknowledge that the majority of money laundering, terrorist financing, and proliferation financing still take place using fiat currency or outside the realm of cryptocurrency.
According to a recent report from the U.S. Treasury Department, it was observed that individuals from the Democratic People’s Republic of Korea, along with other fraudsters, were exploiting vulnerabilities of DeFi to facilitate money laundering. The report also stated that the majority of instances of money laundering, terrorist financing, and proliferation financing still took place using fiat currency or outside the crypto ecosystem.
The U.S. Treasury, in its “Illicit Finance Risk Assessment of Decentralized Finance” report, which was published on April 6th, stated that certain groups engaged in illicit activity from North Korea were able to take advantage of some DeFi platforms’ non-compliance with Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations.
How illicit activity is performed on DeFi platforms
These actors utilize different tactics and services, such as exchanging virtual assets for other more manageable or less traceable virtual assets, using cross-chain bridges to swap virtual assets from other blockchains, sending virtual assets through mixers, and placing virtual assets in liquidity pools as a form of layering.
Although the money laundering process by malign actors remains the same, they may use new methods like chain hopping. Criminals find DeFi services more appealing than centralized VASPs as they don’t need to provide customer identification information.
Such laundering methods pose challenges for investigators tracing illegal proceeds, and actors typically use more than one technique, with a level of sophistication depending on their technical experience and familiarity with DeFi services. However, even lesser-skilled actors have been observed using some of these tactics, according to law enforcement.
Most of the time, they use:
DEXs and cross-chain bridges to convert virtual assets. Illicit actors often use decentralized exchanges (DEXs) to exchange virtual assets, such as cryptocurrencies, into a different virtual asset. They may do this to exchange into a more liquid asset that has higher trading volumes and is easier to cash out into fiat currency. They may also exchange virtual assets for another virtual asset that is compatible with a cross-chain bridge, mixer, or other DeFi service or exchange for an asset that is less traceable. This allows them to move their funds between different blockchains and makes it more difficult for authorities to trace financial transactions.
Virtual asset mixers to obfuscate transaction information. Criminals use virtual asset mixers to functionally obfuscate the source, destination, or amount involved in a transaction. Mixers pool or aggregate virtual assets from multiple individuals, wallets, or accounts into a single transaction. They may also split an amount into multiple amounts and transmit the virtual assets as a series of smaller independent transactions or leverage code to coordinate, manage, or manipulate the structure of the transaction. Mixing services may be advertised as a way to evade Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) requirements and rarely include the capacity and willingness to provide upon request to regulators or law enforcement the resulting transactional chain or information collected as part of the transaction.
Placing illicit funds in liquidity pools to generate funds from trading fees. Illicit actors can place criminals’ proceeds in a DeFi service’s liquidity pool, where the assets provide liquidity to support trades on the service. By placing funds into liquidity pools, actors may generate funds from trading fees. Liquidity providers typically lock their virtual assets into the liquidity pool and may receive a portion of fees or some other type of return or interest created through the DeFi service. This allows bad actors to receive profits from their illicit funds without directly accessing them.
The report’s highlights
The report highlighted that inadequate AML/CFT controls and other deficiencies in DeFi services “facilitate the theft of funds.” Brian Nelson, the undersecretary of the Treasury for Terrorism and Financial Intelligence, pointed out that illicit actors, including criminals, scammers, and North Korean cyber actors, were utilizing DeFi services to launder illicit funds. To reap the potential benefits of DeFi services, addressing these risks is necessary.
However, the Treasury reaffirmed that most instances of money laundering, terrorist financing, and proliferation financing still took place using fiat currency or outside the digital asset ecosystem.
Officials recommended increasing regulatory supervision of AML/CFT for platforms offering DeFi services, providing guidance to DeFi platforms on AML/CFT, and addressing regulatory gaps.
The evaluation was conducted in compliance with an executive order on digital assets signed by President Joe Biden in March 2022. In response to the order, various U.S. government agencies have started examining the potential implications of different aspects of the digital asset space on the country’s financial system and payment infrastructure.
