Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Compounding the existing challenges faced by the decentralized crypto mixer Tornado Cash, an attacker succeeded in seizing complete control of the governance through a harmful proposal.
On May 20 at 3:25 ET, the attacker effectively allocated 1.2 million votes to a malicious proposal. With the proposal garnering over 700,000 legitimate votes, the attacker achieved total dominance over Tornado Cash governance.
On 2023/05/20 at 07:25:11 UTC, the governance of Tornado Cash effectively came to an end. Through a malicious proposal, the attacker awarded themselves 1,200,000 votes. Since this exceeds the approximately 700,000 legitimate votes, they now possess full control. https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— @samczsun.com (@samczsun) May 20, 2023
This information was disclosed by @samczsun from the research-focused technology investment firm Paradigm, who indicated that, while presenting the malicious proposal, the attacker asserted that it employed logic akin to a previously accepted community proposal. However, this iteration included an additional function.
As detailed by @samczsun:
“Once the proposal was approved by voters, the attacker merely utilized the emergencyStop function to modify the proposal logic to allocate themselves the fraudulent votes.”
Having total control over Tornado Cash governance enables the attacker to withdraw all locked votes, deplete all tokens in the governance contract, and disable the router. As of the current moment, the attacker “simply withdrew 10,000 votes as TORN and liquidated it all,” stated @samczsun. This incident serves as a cautionary note for crypto investors to scrutinize proposal descriptions and logic. An active group within Tornado Cash, known as Tornadosaurus-Hex or Mr. Tornadosaurus Hex, confirmed that all funds in Governance are potentially at risk and urged all members to withdraw any funds locked in governance.
Related Posts
As illustrated above, they also attempted to deploy a contract that could potentially reverse the changes while still advising the community to withdraw their funds. Cointelegraph also encountered a distress signal from one of Tornado Cash’s community developers who validated the aforementioned developments, stating:
“There was an attack on the protocol this morning that you are already aware of. Throughout the day, another community developer and I deliberated on what actions to take, but the situation appears nearly hopeless – at present, the attacker controls Governance.”
The team is actively seeking Solidity developers who can assist in rescuing the protocol from potential collapse. They also mentioned that “we need to establish contact with Binance – this exchange holds more tokens than the attacker.”
Related: Allbridge offers bounty to exploiter who stole $573K in flash loan attack
A former Tornado Cash developer is reportedly in the process of creating a new crypto mixing service from the ground up, which aims to address the “critical flaw” present in Tornado Cash.
1/ We fixed @tornadocash 😇
v0 of https://t.co/Nt4b2Tgx1D is live on @optimismFND
test out the demo, but please note:
– this is experimental code
– it has not been audited
– the trusted setup is untrusted
read the full story anon 🧵👇https://t.co/9nAU3RrgpN— Ameen Soleimani (@ameensol) March 4, 2023
The developer aspires that the solution will enable “the community to protect against hackers exploiting the anonymity sets of honest users without necessitating blanket regulation or compromising crypto principles.”
Magazine: ‘Moral responsibility’: Can blockchain really improve trust in AI?
