In a concerning development, Tornado Cash, a decentralized crypto mixer, has encountered a significant setback as an attacker managed to seize full control of the platform’s governance through a malicious proposal. The incident unfolded on May 20 at 3:25 ET when the attacker granted themselves 1.2 million votes, effectively taking over Tornado Cash’s governance system. This exploit occurred despite the proposal receiving over 700,000 legitimate votes, allowing the attacker to manipulate the platform at will.
The attacker designed a malicious program to attack Tornado Cash
The details of the attack were shared by @samczsun, a member of Paradigm, a research-driven technology investment firm. According to @samczsun, the attacker cunningly designed the malicious proposal to resemble a previously successful one, exploiting the trust and familiarity of the community. However, this time, the proposal included an additional function.
Once the proposal gained sufficient votes, the attacker swiftly executed the emergency stop function, modifying the proposal logic to grant themselves the fraudulent votes. With complete control over Tornado Cash’s governance, the attacker proceeded to withdraw 10,000 votes as TORN and subsequently sold them for personal gain.
This incident serves as a stark reminder to crypto investors about the importance of scrutinizing proposal descriptions and logic before casting their votes. In response to the attack, Tornado Cash’s active community member known as Tornadosaurus-Hex or Mr. Tornadosaurus Hex confirmed that all funds within the Governance system are potentially compromised. They urged all members to withdraw their locked funds from governance to safeguard their assets.
In an effort to address the situation, the community attempted to deploy a contract to revert the changes and advised members to withdraw their funds. Meanwhile, a distressed call for help was issued by a community developer, confirming the attack and stating that the situation currently remains dire, with the attacker controlling the Governance system.
The platform is looking for ways to salvage the situation
The Tornado Cash team is actively seeking Solidity developers who can assist in salvaging the protocol from this critical situation. Additionally, they are seeking to establish contact with Binance, as the exchange holds more tokens than the attacker, potentially providing a path for mitigating the damage.
Meanwhile, a former Tornado Cash developer is reportedly working on creating a new crypto mixing service from scratch. This new solution aims to address the “critical flaw” present in Tornado Cash while empowering the community to protect against hackers without resorting to excessive regulation or compromising the core principles of cryptocurrencies.
As Tornado Cash faces the aftermath of this attack, the crypto community is reminded of the ongoing challenges and vulnerabilities present in the decentralized ecosystem. Efforts to enhance security measures and community involvement are essential to safeguarding the integrity and trustworthiness of these platforms in the future.