Tornado Cash, the infamous cryptocurrency mixer, suffered another setback as an attacker managed to seize full control of the platform’s governance through a malicious proposal.
According to reports, Samczsun, a security researcher at crypto investment firm Paradigm, revealed on Twitter that an attacker granted themselves 1.2 million fake votes on Saturday. As the fake votes exceeded the 700,000 legitimate votes, it allowed the attacker to gain full control over the governance of Tornado Cash.
With complete control over Tornado Cash’s governance, the attacker proceeded to withdraw 10,000 votes as TORN and subsequently sold them for personal gain. The unversed Tornado Cash token (TORN) is the governance token of the crypto mixer.
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— @samczsun.com (@samczsun) May 20, 2023
Hacker Submits Proposal To Undo Attack
In response to the attack, Tornado Cash’s active community member known as Tornadosaurus-Hex confirmed that all funds within the Governance system were potentially compromised. They urged all members to withdraw their locked funds from governance to safeguard their assets. However, shortly after the attack, a proposal was submitted by a wallet address linked to the recent attack, suggesting reversing the malicious changes.
Tornadosaurus-Hex wrote in the Tornado Cash community forum, “The attacker posted a new proposal to restore the state of governance”, adding there is a “good chance” that the attacker would execute it. The user claimed the attacker is reverting the hijacked TORN tokens, which gave them a controlling share of the governance votes, back to zero.
When the proposal passes, the malicious code that the attacker integrated into the protocol, which allowed them to steal voting power from others, will be removed, and the governance of Tornado Cash’s DAO will go back to token holders.
Tornado Cash’s Chronic Troubles
Following the news, TORN jumped 6.22% in the last 24 hours to trade at $4.62. However, the token is still reeling under severe pressure over the past seven days due to the recent hijack. Meanwhile, 0xdeadf4ce, an active member of the TORN community, pointed out that this might all be a “gigatroll” to depress the price of the token to increase their holdings at a discount.
TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they're giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP
— 0xdeadf4ce (@0xdface) May 21, 2023
The decentralized currency mixer was sanctioned by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) on August 8, 2022, for allowing hackers to launder nearly $7 billion in cryptocurrency since 2019. As per the United States Treasury Department, Tornado Cash had served as a key tool for the Lazarus Group, a North Korean hacking group tied to the $625 million hack of Axie Infinity’s Ronin Network in March 2022.