- An attacker hijacks the Tornado Cash governance system through a malicious proposal.
- This allowed the fraudster total control over Tornado Cash governance allowing them to withdraw all of the locked votes.
- The attacker then drained all of the tokens in the governance contract and brick the router.
In a shocking cause of events, tornado cash, a decentralized protocol giving anonymity to Ethereum Transactions (ETH), has become a casualty of a bold attack. On May 20 at 3:25 ET, an unsuspected attacker cunningly and in a well-orchestrated attempt exploited the governance system’s vulnerability and successfully hijacked the protocol’s Tornado Cash governance through a malicious proposal.
This unusual act has since jeopardized users’ privacy and exposed the flaws in Tornado Cash’s governance systems. The question remains, “How did this attacker gain accessibility to the systems?” Discover the details of this challenging process and its potential effects on the company.
The Attack and Modus Operandi
Reports indicate that the attacker reached out to the Tornado Cash Community with an impressive proposal that contained unnoticeable malicious clauses.
As explained by @samczsun in a tweet:
“Once voters passed the proposal, the attacker simply used the emergency-stop function to update the proposal logic to grant themselves the fake votes.”
This proposal reportedly contained carefully crafted elements that made it look beneficial and legitimate to the Governance of the Tornado Cash Community. On looking into this proposal and the underlying benefits to their community, they voted in favor of it since it contained promises of enhanced security measures, advanced functionalities, and extra incentives to the community users.
This ignorant voting subsequently granted the authority to the attacker to manipulate the funds from the protocol since he had complete control of the cash governance, leading to financial losses and compromising user trust in the system. By the time people realized the attacker “simply withdrew 10,000 votes as TORN and sold it all,” explained @samczsun.
Implications and Cause of Fear
With complete control over the governance cash system by May 21, the attacker was in complete control and would inflict massive losses. The attacker could drain all tokens in the contract, brick the router, withdraw all locked votes, and compromise user privacy. This is a frustrating event for the Tornado Cash Governance systems since user privacy remains one of the foundations of Tornado Cash, and access to the information by the third party jeopardizes the principles of the protocol.
In response to the events, an active community member named Mr. Tornadosaurus Hex indicated that all funds in the Governance were compromised and invited all members to withdraw all their funds locked in the governance system, as shown in the message below.
Through these calls, it was clear that members were grabbing to revert the alterations and calling them to withdraw their funds. These calls by Mr. Tornadosaurus were uncertain since the attacker had gained complete control of the mixer’s Governance.
As things unfolded and the members grabbed the opportunity to withdraw the funds, the attacker again reached out with a new message. The attacker had a new proposal to potentially restore the state of Governance with hints that the government would be given back to their control, as posted by Mr. Tornadosaurus in the Tornado Cash Forums, as shown below.
This showed a grim optimism that the attackers would have their Governance back, but others speculate it is a move to pump the TORN token’s price before cashing out. This report closely monitors the sequence of events to unfold the state of Tornado Cash Community as members grabble to keep their assets safe.
