Complete control of the governance of Tornado Cash DAO was acquired by an attacker through a malicious proposal approved by the decentralized crypto tumbler. Unfortunately, the responsible individual or group has not yet been identified. As a result, the future activities, funds, and management operations of the DAO’s privacy-focused cryptocurrency mixer, Tornado Cash, have been compromised. We recommend that you remain vigilant and that you take appropriate measures to restore governance control in a secure and effective manner.
The stability of Tornado Cash’s governance is currently being seriously jeopardized.
Tornado Cash is a cryptocurrency mixing service that uses Ethereum virtual machine networks. Lately, the United States Treasury has sanctioned this service. The system is managed through a decentralized autonomous organization called DAO, which allows all token holders to block their shares as votes to propose any changes to the
project.
Over the weekend, an attacker used a fraudulent proposal that potentially affected the code function, granting false votes that can now be used to manage some aspects of Tornado Cash. The TORN tokens, together with the DAOs, are held in the main governance contract or blocked in the withdrawals of
TORN tokens.
The Tornado Cash governance system manages protocol updates, depending mainly on the holders of the project’s TORN tokens. In general, the security and integrity of the project must not be compromised
.
The DAOs, including the TORN tokens, are held within the main governance contract or tied to the withdrawals of the TORN tokens. The Tornado Cash governance system manages protocol updates, which are mainly decided by the project’s TORN token holders. On May 20, the governance system approved an update considered similar to the previous one already authorized. However, this statement turned out to be false, as an unidentified attacker had introduced an additional function, as reported by Samczsun, a well-known security researcher. In addition, he specified that the attackers now hold all the votes and enjoy complete freedom to decide what to do. In the story that emerged, they have in fact opted to collect 10,000 TORN tokens and
sell them all.
After completing the update, the attacker used the function to deliver an additional 1.2 million votes, gaining absolute control over the entire governance system. The 10,000 votes in TORN tokens were sold for a sum of 25,600 dollars, eliminating the remaining blocked votes. The vault reported a theft of 483,000 TORN tokens, while 6,000 were deposited on Bitrue, a popular cryptocurrency exchange. 379,000 of the tokens were sold on-chain for an amount of Ether worth 680,000 dollars. The attackers currently hold around 100,000 TORN tokens
.
However, it is important to underline that the attack suffered had no repercussions on the Tornado Cash protocol, which allows its users to obscure or hide the movements of funds and digital addresses through the service provided. It should also be noted that the attack did not exploit any of the technologies or smart contracts related to the operations of Tornado Cash
.
According to Wu Blockchain’s statements, Binance has declared the interruption of all transactions that use TORN, while Justin Sun has tweeted that the deposits and withdrawals of TORN tokens remain available on Huobi. In the meantime, the Tornado Cash community has presented new proposals to restore the changes made to the code. All this in the context of a climate of attention and caution on the part of cryptocurrency operators, with an ever vigilant eye on developments in the sector
.
