An attacker recently managed to gain full control over the Tornado Cash DAO governance through a malicious proposal passed by the decentralized crypto tumbler. The DAO’s future plans, funds, and handling operations of the privacy-focused cryptocurrency mixer, Tornado Cash, were taken over by an individual or group of unidentified attackers on Saturday.
Tornado Cash is a cryptocurrency mixing service running on Ethereum virtual machine networks and was recently sanctioned by the United States Treasury.
DAO, or decentralized autonomous organization, allows all token holders to lock their holdings as their votes for proposing any changes to a project. At the beginning of this weekend, the attacker got the malicious proposal that potentially hit the code function, granting them fake votes that could now be used to manage certain aspects of the Tornado Cash.
DAO, including TORN tokens, are held either in the main governance contract or locked TORN token withdrawals. The governance system of Tornado Cash manages the upgrades of the protocol, which is mainly run by token holders of the project’s TORN tokens.
On May 20, the governance system approved an upgrade similar to the previous one that has already been passed. But that was not true since the unidentified attacker had introduced an additional function, as tweeted by Samczsun, a so-called security researcher. He also tweeted that since the attackers now have all the votes, they have complete freedom to do whatever they want. In this particular case, they chose to withdraw 10,000 votes as TORN tokens and sold them all.
After passing the upgrade, the attacker utilized the function to hand over an additional 1.2 million votes, which gave them full control over the entire system of governance. The 10,000 votes in TORN tokens were sold for $25,600 and drained the remaining locked votes. A total of 483,000 TORN tokens were taken out from the vault, as stated by EmberCN. Around 6000 TORN tokens were claimed to be deposited on Bitrue, a popular crypto exchange, and 379,000 were sold on-chain for Ether worth $680,000, and the remaining were under the control of the attackers with around 100,000 TORN tokens.
As such, the attack did not have any actual impact on the Tornado Cash protocol – which allows its users to transfer funds through the service to obscure or mask the movement of funds and digital addresses. This attack did not exploit any of the technology or smart contracts surrounding the operations of Tornado Cash.
According to statements of Wu Blockchain, Binance claimed that the exchange would stop all transactions using TORN, whereas Justin Sun tweeted that the TORN token deposits and withdrawals remain available on Huobi. Meanwhile, the entire community of Tornado Cash has brought about new proposals to revert the changes made to the code.