Malicious Proposal Exploits Tornado Cash Governance

Decentralized crypto mixing platform Tornado Cash recently suffered a significant attack on its governance. A malicious proposal recently subverted its governance system, providing the threat actor with complete control over the protocol.

The threat actor successfully shifted 1.2 million votes to a proposal with deceptive intent on May 20th. This initiative received more than 700,000 legitimate votes, enabling the attacker to fully command Tornado Cash governance. This incident was highlighted by @samczsun, a researcher at Paradigm, a research-driven technology investment firm.

On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz

— @samczsun.com (@samczsun) May 20, 2023

The attacker claimed their proposal employed logic akin to a previously approved community proposal. However, it concealed an insidious function. Once approved, the attacker utilized the emergencyStop function on the governance contract to modify the proposal logic, granting themselves falsified votes.

With total control, the attacker can now withdraw all locked votes, drain the tokens from the governance contract, and effectively "brick" the on-chain router. @samczsun's latest tweets on the matter suggest that the attacker has already withdrawn 10,000 votes as TORN tokens and liquidated them.

This diligently underscores the need for the diligent scrutiny and appropriate review of proposal descriptions and logic. A Tornado Cash community member known pseudonymously as Tornadosaurus-Hex confirmed the possible compromise of all governance funds and urged members to withdraw any locked funds.

Tornado Cash's team is now actively seeking Solidity developers who could help protect the protocol from further damage. They have also indicated the necessity for dialogue with Binance, as the exchange possesses more tokens held than the threat actor and may be able to help reverse the functions implemented through the exploit.

The Tornado Cash case recently received support from major crypto policy and advocacy groups. The Blockchain Association and DeFi Education Fund jointly filed an amicus curiae brief in support of a partial summary judgment motion for the plaintiff against the U.S. Treasury Department.

Last year, the U.S. Treasury Department sanctioned Tornado Cash, asserting that it assisted the North Korean hacking group, Lazarus Group, in funneling roughly $7 billion worth of funds obtained from various exploits. The infamous Lazarus Group is notorious in the crypto sphere for stealing from prominent DeFi protocols. This accusation led to the arrest of Tornado Cash's creator, Alexy Pertsev, on money laundering charges in August, inciting public outcry.

In retaliation to these widespread exploits, the sanction was imposed by the Treasury Department's Office of Foreign Assets Control (OFAC) on Tornado Cash, placing addresses purportedly connected with the mixer on its Specially Designated Nationals and Blocked Persons List. Consequently, it is illegal for U.S. persons to interact with those addresses under threat of substantial fines and imprisonment.

Data from CoinMarketCap reveals a significant decrease in Tornado Cash's activity following these developments, with transaction volumes declining by an average of 40% on an hour-to-hour within the last 24 hours. The reported loss of roughly 10,000 TORN tokens have been traced back to the threat actor's activities. The aftermath of this episode underlines the importance of rigorous code inspection and robust community governance in decentralized protocols.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.