Popular crypto mixer Tornado Cash lost control of its governance to an attacker who deployed a malicious contract to access thousands of votes, according to a tweet from researcher @samczsun at web3-focused investment firm Paradigm.
The attacker created a proposal using the same logic as a previously-passed proposal, but added an extra function, as revealed in @samczsun’s tweet. More recently, though, the attacker posted a new proposal to restore the state of governance, according to a post on the mixer’s community forum.
TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they’re giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.
— 0xdeadf4ce (@0xdface) May 21, 2023
Attacker Seizes Tornado Cash Governance
After Tornado Cash voters passed the proposal, the attacker implemented the emergencyStop function and updated the proposal logic to grant themselves 1.2 million fake votes, gaining control of the crypto mixer’s governance. With full control, the attacker can withdraw locked votes, drain tokens in the governance contract, and brick the router, although they cannot drain individual pools.
“Be careful what you vote for! While we all know that proposal descriptions can lie, proposal logic can lie too! If you’re depending on the verified source code to stay the same, make sure the contract doesn’t have the ability to self-destruct,” warned @samczsun.
Over $2.1M TORN Tokens Stolen
After taking control of Tornado Cash’s contract, the attacker drained 473,000 TORN, worth over $2.1 million, from the governance contract and sold the assets on-chain, depositing the profits back into Tornado. Tornadosaurus-Hex, a community member, confirmed the attack had compromised all funds in governance and urged members to withdraw their locked assets. Tornadosaurus-Hex has also attempted to deploy a contract to revert changes made by the attacker.
The project’s native token, TORN, dropped roughly 40% to $4.5 after the news surfaced.
