Hijacker’s Remorse in Tornado Cash Governance Tussle?

After a governance takeover, the perpetrator offers a proposal, but the community is skeptical

by Shalini Nagarajan /
article-image

WindAwake/Shutterstock, modified by Blockworks

share

An unidentified hacker executed a hostile takeover of sanctioned cryptocurrency mixer Tornado Cash over the weekend. They successfully gained control over the protocol’s governance by submitting a malicious governance proposal, enabling them to assume full authority.

Samczsun, a security researcher at crypto-focused venture firm Paradigm, said in a tweet on Sunday that the attacker granted themselves 1.2 million votes through a malicious proposal. 

They gained complete control over Tornado Cash’s governance by generating more fake votes than legitimate votes, surpassing the threshold of 700,000.

Loading Tweet..

Tornado Cash is a decentralized privacy tool on the Ethereum blockchain that works by mixing funds pooled from multiple parties in uniform amounts, so it’s harder for anyone to trace specific deposits and withdrawals.

The protocol was built with a governance token called TORN, allowing token holders to participate in decision-making. The protocol is managed, at least partially, by a decentralized autonomous organization (DAO) comprised of these token holders.

By gaining control over Tornado Cash’s governance, the attacker has the power to withdraw all the locked votes and drain all the tokens in the governance contract. 

“Now that they have all the votes, they can do whatever they want. In this case, they simply withdrew 10,000 votes as TORN and sold it all,” samczsun said about the hack.

The protocol itself is immutable, so ETH deposited by users into the mixer is not at risk.

Tornado Cash faced sanctions from the US Treasury in August 2022 due to allegations of laundering about $7 billion in crypto since its establishment in 2019. Among the laundered funds is a significant amount of $445 million that authorities say was hacked by the North Korean hacker group Lazarus.

Following news of the exploit, Binance announced a temporary suspension of TORN deposits until further notice.

Blockworks has reached out to Tornado Cash for comment.

TORN recovers as proposal to reverse attack gains support

Technically, the code that was executed was not what token holders had voted for, but the contract contained an updatable dependency, and the attacker was able to replace part of it after the vote — effectively a bait and switch.

TORN plunged over 36% after the attack, according to Blockworks Research data. 

But the token recovered over 8% on Monday after the person who anonymously gained control of the protocol’s governance suggested a plan to undo the harmful code.

According to the new proposal, the attacker’s ownership of tokens would be reduced to zero. 

Based on current indications, it appears likely that the proposal will be approved once voting concludes on May 26. As of press time, there were over 517,000 votes in favor of the proposal.

In the Tornado Cash community forum, one user, using the pseudonym Tornadosaurus-Hex expressed belief that there is a “good chance” the attacker will follow through with the proposal. 

The user emphasized the significance of the proposal, even though the community may not have a say in its implementation.

Meanwhile, 0xdeadf4ce, another community member, said on Twitter that the new proposal could revert the damage done to the protocol’s governance.

“Either they’re giga trolling or it will end up being an expensive but not disastrous lesson in Governance security,” they added.

Loading Tweet..

They speculated that the new proposal might be an effort to increase the price of TORN, which plunged after the governance takeover.

Funds at risk on Gnosis Chain

The true target may also be a smaller implementation of Tornado called Nova, deployed on Gnosis Chain. Unlike the primary Ethereum pool, Nova is fully upgradeable by governance, meaning the ether in the pool are fully at risk of loss.

There is a 7-day timelock on upgrading the protocol’s contract, meaning any users with ETH in the pool, have a window of time to rescue their funds.

https://twitter.com/samczsun/status/1660042906500214784?s=20

Currently, there are roughly 500 ether, worth about $900,000 in the contract.

Macauley Peterson contributed reporting.

Don’t miss the next big story – join our free daily newsletter.

Tags

Upcoming Events

Permissionless III

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

join us in Salt Lake City, UT

Digital Asset Summit 2024 | London

MON - WED, MARCH 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience:  Attend expert-led panel discussions and fireside chats  Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts   Grow your network […]

join us in Hilton Metropole | 225 Edgware Rd, London

buy tickets

recent research

Pyth Cover.jpg

Research

Pyth Network: Pull, Not Push

Pyth is a low latency pull-based oracle. In a future that looks increasingly high frequency, with various alt L1s and L2s that have significantly shorter block times than Ethereum, and an explosion of “high-frequency” protocols such as oracle or CLOB perp DEXs, Pyth’s low latency oracle product looks much better positioned to capture a significant amount of market share in comparison to competitors.

by Ren Yu Kong

/

news

article-image

Markets

Crypto assets dip as Binance settlement unfolds — but what’s next?

Binance settlement “an important part of clearing the way for the next bull market cycle,” crypto hedge fund executive says

by Ben Strack /
article-image

Policy

SEC’s Hester Peirce: We don’t have to regulate crypto through the courtroom

Hester Peirce reiterated Tuesday that court cases are not the only path to regulatory clarity for crypto, but her colleagues do not always agree

by Casey Wagner /
article-image

Policy

DOJ alleges AML, sanctions violations against Binance, CEO Changpeng Zhao in unsealed indictment

The indictment followed leaks Monday that a Binance settlement deal was forthcoming

by Katherine Ross /
article-image

Business

Binance CEO Changpeng Zhao to step down: WSJ

The Binance executive is also reportedly set to make an appearance in a Seattle courtroom Tuesday

by Katherine Ross /
article-image

Business

Bullish or bearish? A wild 24 hours for crypto exchanges

Monday developments reaffirmed the US as unfriendly to crypto while also offering a potential bullish outlook for segment firms, industry watchers say

by Ben Strack /
article-image

Policy

DOJ to announce ‘significant’ crypto enforcements alongside CFTC, Treasury

It’s unclear what “actions” the CFTC, DOJ and Treasury will announce Tuesday afternoon

by Katherine Ross /