An attacker recently gained control of Tornado Cash’s governance by deploying a malicious contract to access thousands of votes. This incident was reported by researcher @samczsun, from web3-focused investment firm Paradigm, over the weekend. The attacker claimed to use the same logic as a previously passed proposal in creating their malicious proposal, without disclosing that they added an extra function. The exploiter implemented the emergencyStop function immediately after Tornado Cash voters passed the proposal and updated the proposal logic to grant themselves 1.2 million fake votes. The attacker’s votes are more than the legitimate ones, which gave them full control of Tornado Cash’s governance.
As a result, the attacker can now withdraw all locked votes, drain all tokens in the governance contract, and brick the router, but they cannot drain individual pools. The web3 media group WhaleCoinTalk reported that the exploiter drained 473,000 TORN – the mixer’s native token – worth more than $2.1 million from the governance contract shortly after taking hold of Tornado Cash’s contract. The bad actor then sold the assets on-chain and deposited the profits back into Tornado.
Tornadosaurus-Hex, an active member of Tornado Cash’s community, confirmed that the attack had compromised all funds in governance. The member urged all members to withdraw their assets locked in the contract and tried to deploy a contract that could revert the changes. The native token’s value plummeted by roughly 40% after the incident, sitting now at $4.5 from a previous high of $7.3.
“While we all know that proposal descriptions can lie, proposal logic can lie too! If you’re depending on the verified source code to stay the same, make sure the contract doesn’t have the ability to self-destruct,” warned researcher @samczsun.
About the author - J-S Tremblay
I've been involved in the cryptocurrency world since 2016 and trading since 2019. I started Moon and Lambo in 2021. I'm passionate about crypto and love to share my knowledge. I hate bankers and I hope that cryptocurrency will change the financial world for the better. View full profile...
View J-S Tremblay website
