21-5-2023 The DAO responsible for managing operations, funds, and future plans of Tornado Cash, a privacy-focused cryptocurrency mixer, was effectively hijacked by an unidentified attacker or group of attackers on Saturday.
Decentralized autonomous organizations (DAOs) enable token holders to lock up their holdings as votes for proposing changes to a project. These changes can encompass a wide range of actions, from utilizing treasury funds for the project’s benefit to expanding onto other networks.
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— @samczsun.com (@samczsun) May 20, 2023
Over the weekend, the attacker introduced a malicious proposal that concealed a code function, granting them counterfeit votes that can now be employed to manipulate certain aspects of Tornado Cash. This includes governing torn (TORN) tokens held within the main governance contract and withdrawing locked torn tokens.
Once the proposal was passed by voters, the attacker simply used the emergencyStop function to update the proposal logic to grant themselves the fake voteshttps://t.co/JgYk9PJg6Ohttps://t.co/y3bjglXD7J pic.twitter.com/kpGXC3LtjW
— @samczsun.com (@samczsun) May 20, 2023
By presenting a proposal that mimicked an earlier version but included malicious code, the attacker successfully updated the logic, gaining access to all governance votes. “Now that they have all the votes, they can do whatever they want,” highlighted security researcher @samczsun on Sunday. “In this case, they simply withdrew 10,000 votes as TORN and sold it all.”
It’s important to note that this attack does not affect the actual functioning of the Tornado Cash protocol, which allows users to obfuscate the movement of funds and crypto addresses. The attack was not an exploitation of any smart contracts or technology related to the core functionality of Tornado Cash.
Meanwhile, the Tornado Cash community has initiated new proposals aiming to revert the unauthorized changes made to the code. A community member discovered that the attacker had illicitly minted over 1 million torn, valued at over $4 million at current prices. Efforts are underway to address the situation and restore the integrity of Tornado Cash’s DAO.
