A hacker has managed to take control of the governance of the Tornado Cash mixer thanks to a malicious proposal. Will this event cause the end of the protocol
The governance of Tornado Cash has been hacked
The Tornado Cash protocol was hit by a rather unusual attack this weekend. A hacker managed to take control of the governance system thanks to a malicious proposal. In a thread on Twitter, @samczsun, a researcher at Paradigm, explained how the events unfolded:
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
– @samczsun.com (@samczsun) May 20, 2023
The modus operandi is fairly technical, but let’s try to summarise it simply and explain the consequences. Firstly, the proposal would have been similar to a previously adopted proposal, except that it contained a function which, once its vote had been validated by governance, allowed the attacker to modify critical points in order to attribute false votes to himself.
In this way, the hacker was able to give himself 1,200,000 votes when the governance had around 700,000 legitimate votes. This action then gave him control over the said governance, opening the way for him to steal TORN tokens, for example, which were deposited in the governance’s ballots.
Is this the end of the protocol?
While Tornado Cash’s survival had already suffered a blow following the sanctions imposed by the Office of Foreign Assets Control (OFAC) in August 2022, this new setback once again puts the protocol in jeopardy, at least in its current form.
It should be noted that, on the face of it, the deposit pools used to anonymise funds do not appear to be in danger. In fact, the PeckShield alerts account even noted that the hacker had himself used the application to launder the funds he had stolen, which included, for example, around 380,000 TORN exchanged for 372 ETH :
PeckshieldAlert Tornado Cash Governance Exploiter has deposited 6K $TORN to Bitrue And swapped ~380K $TORN for $ETH and then transferred 372 $ETH into Tornado Cashhttps://t.co/3fEa1kYFaz pic.twitter.com/BzqagupO5c
– PeckShieldAlert (@PeckShieldAlert) May 21, 2023
According to MistTrack, SlowMist’s on-chain tracking unit, more than 483,000 TORN were stolen in the attack:
The remaining $TORN was exchanged for ETH using @1inch and then deposit into https://t.co/FRBMx1wIMz
Hacker Address: https://t.co/TT9DItDB6T
– MistTrack️ (@MistTrack_io) May 21, 2023
At the current price, that’s almost $2.25 million. But this figure is actually distorted, given that the token has lost 27.2% over the past 24 hours, and that the attacker has made numerous moves since taking control. With a daily high of $7.29 on Saturday, its price plunged to $3.55 after the attack, and is currently trading at $4.62.
At the time of writing, the hacker’s address was still hosting 97,700 TORN tokens.
For its part, Binance has temporarily suspended trading in the asset, pending further information on the case.
While it is usually the smart contracts of the applications themselves that are targeted by hackers, an event such as this highlights the fact that the points of attack on a protocol can be found at different levels of its architecture. As far as Tornado Cash specifically is concerned, the next few days will probably provide more clues as to whether it will survive or not.