In a recent security breach, the decentralized autonomous organization (DAO) responsible for managing Tornado Cash, the privacy-focused crypto mixer, fell victim to an unidentified attacker or group of attackers.
The incident resulted in the attacker gaining control of the DAO’s operations and funds. However, it is important to note that the attack did not compromise the functionality or security of the Tornado Cash protocol itself, which enables users to obfuscate their cryptocurrency transactions.
DAOs allow token holders to lock up their holdings as votes for proposing changes to a project. In this case, the attacker submitted a malicious proposal that hid a code function, granting them fake votes and control over some aspects of Tornado Cash, such as TORN tokens held in the main governance contract or withdrawal of locked TORN tokens. The attacker then withdrew 10,000 votes as TORN tokens and sold them.
Now that they have all the votes, they can do whatever they want. In this case, they simply withdrew 10,000 votes as TORN and sold it allhttps://t.co/XxYezHusK6 pic.twitter.com/qOefI65SLk
— samczsun (@samczsun) May 20, 2023
This illicit action caused a significant slump in Torn prices, which dropped by as much as 40% in the past 24 hours.
Despite the breach, the Tornado Cash community has swiftly responded, introducing new proposals aimed at reverting the malicious changes made by the attacker.
Notably, one community member highlighted that the attacker had minted over 1 million TORN tokens, valued at over $4 million. The proposed solution involves restoring the governance state by eliminating the malicious code and redistributing voting power to token holders.
Encouragingly, a recent proposal submitted by a wallet address connected to the attack suggests that the attacker is willing to reverse their actions voluntarily.
The proposal aims to reset the attacker’s TORN token holdings back to zero, effectively relinquishing the controlling share of governance votes they acquired. The voting process is currently underway and set to conclude on May 26, with a high likelihood of the proposal passing given the attacker’s significant holdings.
Upon the proposal’s successful execution, the malicious code integrated into the Tornado Cash protocol will be eliminated, restoring full governance control to token holders. As a result, the TORN token experienced a temporary surge, rising by up to 10% in value before stabilizing.
However, some members of the Tornado Cash community have expressed caution, considering the possibility that the attacker’s actions might be part of a deliberate attempt to manipulate token prices. The theory suggests that the attacker orchestrated the breach to depress the token’s value, potentially increasing their holdings at a discounted rate.
TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they're giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP
— 0xdeadf4ce (@0xdface) May 21, 2023
This attack on Tornado Cash is another instance highlighting the vulnerability of decentralized autonomous organizations and decentralized finance protocols to structural attacks. While traditional hacks exploit code vulnerabilities, these types of attacks involve manipulating governance systems.
The attacker behind this breach seems to have taken advantage of Tornado Cash’s recent designation as a sanctioned entity, possibly counting on the challenges associated with legal actions.