In a recent incident, an attacker successfully exploited the governance system of Tornado Cash DAO, a popular cryptocurrency mixing service operating on the Ethereum network. The attacker’s manipulative actions granted them complete control over the DAO’s governance, posing a severe threat to the project’s operations and funds.
On May 20, the DAO’s governance system approved what appeared to be a routine upgrade. However, it later became apparent that the upgrade contained an additional function added by the attacker. This deceitful move allowed the attacker to secure an extra 1.2 million votes, effectively giving them complete control over the governance system.
Seizing this newfound power, the attacker wasted no time in taking advantage of the situation. They promptly withdrew 10,000 votes in the form of TORN tokens and sold them for approximately $25,600. Subsequently, the attacker drained the remaining locked votes from the system, resulting in 483,000 TORN being siphoned from the DAO’s vault.
— @samczsun.com (@samczsun) May 20, 2023
Analysts have determined that the attacker converted 6,000 TORN into another cryptocurrency and deposited it on Bitrue exchange. Furthermore, approximately 379,000 TORN tokens were sold on-chain for an estimated $680,000 worth of ether, leaving the attacker with control over nearly 100,000 TORN.
The repercussions of this attack have prompted swift responses from the cryptocurrency community. Binance has suspended deposits and withdrawals of TORN, while Huobi continues to allow such transactions. Despite the attacker’s control over the governance system, they cannot access the funds held within the Tornado Cash protocol, except for an upgradeable single pool on Gnosis Chain.
The impact of the attack has also been felt in the market, with the price of TORN experiencing a significant drop from its previous high of $7.3 to as low as $3.75. However, it has since rebounded to around $4.60.
It is worth emphasising that the attack did not exploit any vulnerabilities within the Tornado Cash protocol. The attack focused solely on gaining control over the governance system rather than compromising the service’s core functionality, enabling users to obfuscate the origins of their funds and crypto addresses.
In response to the attack, the Tornado Cash community is actively proposing changes to revert the malicious alterations made by the attacker. The community has also highlighted that the attacker maliciously minted over 1 million TORN tokens, which, at current prices, amount to a value exceeding $4 million.
Efforts are underway to mitigate the impact of this attack and restore stability to the Tornado Cash DAO. It serves as a reminder of the importance of robust security measures within decentralised autonomous organisations and the need for ongoing vigilance to safeguard the integrity of blockchain projects.