Hacker Seizes Control of Tornado Cash Governance

Hacker Seizes Control of Tornado Cash Governance

A malicious actor recently exploited Tornado Cash’s governance, enabling them to seize total control. This could potentially allow them to retrieve all the secured votes, empty the tokens held in the governance contract, and disable the router.

Tornado Cash, a decentralized crypto mixer, has faced another setback due to this incident. An attacker cunningly secured full control over the platform’s governance via a devious proposal.

The incident occurred on May 20 at 3:25 ET, when the attacker successfully attributed 1.2 million votes to a nefarious proposal. The proposal had already amassed over 700,000 valid votes, thus enabling the attacker to monopolize Tornado Cash‘s governance.

How was Tornado Cash’s governance exploited?

The disclosure was provided by @samczsun, affiliated with Paradigm, a research-oriented technology investment firm. He exposed the attacker’s claim that the malicious proposal utilized a similar logic to one that the community had previously accepted. Yet, this particular proposal contained an added function.

According to @samczsun, Tornado Cash’s governance was essentially annihilated on 2023/05/20 at 07:25:11 UTC. Through a crafty proposal, the attacker allotted themselves 1,200,000 votes. Since this number exceeds the approximate 700,000 authentic votes, they now wield absolute control.

What are the implications of this for Tornado Cash?

The assailant, by seizing control of the governance, can:

  • Retrieve all secured votes
  • Empty all tokens contained in the governance contract
  • Disable the router

Nonetheless, the attacker is still unable to:

  • Deplete individual pools

What caused this event?

When the malicious actor formulated their deceptive proposal, they alleged it was based on the same logic as a previously approved proposal. However, this wasn’t entirely accurate because they incorporated an additional function.

Upon voter approval of the proposal, the attacker leveraged the emergencyStop function to modify the proposal’s logic, which in turn awarded them with counterfeit votes.

The attacker’s complete dominance over Tornado Cash’s governance empowers them to retrieve all locked votes, empty the governance contract of all tokens, and disable the router. As per @samczsun, at the time of reporting, the attacker had “simply withdrawn 10,000 votes as TORN and subsequently liquidated them all.”

This incident serves as a crucial reminder to cryptocurrency investors to thoroughly scrutinize proposal descriptions and their underlying logic. A prominent member of the Tornado Cash community, known as Tornadosaurus-Hex or Mr. Tornadosaurus Hex, has confirmed the potential compromise of all funds in Governance. He has urged all members to withdraw any funds currently secured in governance.

The Tornado Cash community developer

They also attempted to set up a contract that might potentially reverse the changes, all the while advising the community to withdraw their funds. A distress signal from a Tornado Cash community developer, who verified these incidents, stated:

“We were aware of the protocol attack this morning. A fellow community developer and I have been contemplating solutions all day, but the situation seems nearly hopeless – as it stands, the attacker holds control over Governance.”

Currently, the team is seeking Solidity developers who can help prevent the protocol’s imminent demise. They have also expressed a need for communication with Binance, citing that this exchange possesses more tokens than the attacker.

A previous Tornado Cash developer is said to be in the process of creating a novel crypto mixing service from the ground up, aimed at addressing the “critical flaw” inherent in Tornado Cash.

The developer envisions that this solution will enable the community to protect itself from hackers who exploit the anonymity sets of honest users, without necessitating overarching regulation or compromising on crypto principles.