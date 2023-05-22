An attacker has taken control of Tornado Cash DAO, the decentralized organization responsible for handling funds and operations of the popular crypto mixer.

The price of Tornado Cash’s native token TORN tumbled as a result of the governance attack, dropping by as much as 40% before trimming some losses.

Over the weekend, it was revealed that an attacker has taken full control of the DAO after they managed to float a malicious proposal that hid a code function that granted them fake votes.

“Through a malicious proposal, an attacker granted themselves 1,200,000 votes,” samczsun, a security researcher at crypto investment firm Paradigm, said.

“As this is more than the ~700,000 legitimate votes, they now have full control.”

On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz — @samczsun.com (@samczsun) May 20, 2023

The crypto guru detailed that the attacker can use its governance control to withdraw all of the locked votes, drain all of the tokens in the governance contract, and “brick the router.”

“However, the attacker still can’t: – drain individual pools,” they added.

How Did the Attacker Take Over Tornado Cash DAO?

The attacker used an earlier proposal, which had successfully passed, and hid some malicious code that allowed for the update of logic that gave the attacker access to all governance votes.

After the Tornado Cash community passed the malicious proposal, the attacker “used the emergencyStop function” to update the proposal logic and grant themselves fake governance votes.

“Now that they have all the votes, they can do whatever they want,” samczsun tweeted on Sunday. “In this case, they simply withdrew 10,000 votes as TORN and sold it all.”

Finally, what can we learn from this? Be careful what you vote for! While we all know that proposal descriptions can lie, proposal logic can lie too! If you're depending on the verified source code to stay the same, make sure the contract doesn't have the ability to selfdestruct — @samczsun.com (@samczsun) May 20, 2023

DAOs, short for decentralized autonomous organizations, are member-owned communities without centralized leadership.

These blockchain-based structures allow token holders to lock up their tokens as votes for proposing changes to a project. These changes can range from deploying treasury funds to purposes that benefit the project to expansion on other networks.

Attacker Submits Proposal to Undo Hack

In the latest development, the Tornado Cash DAO hacker has submitted a proposal to reverse the malicious changes.

“The attacker posted a new proposal to restore the state of governance,” user Tornadosaurus-Hex wrote in the Tornado Cash community forum, adding that there is a “good chance” that the attacker would execute it.

The user detailed that the attacker is reverting the 1,200,000 TORN tokens they gave themselves back to zero, which would take away their controlling share of the governance votes.

Based on the attacker’s possession of TORN governance tokens, the proposal is likely to get passed by the closing of voting on May 26. However, the timing of implementation remains uncertain.

Once the proposal is approved, the harmful code that the attacker incorporated into the protocol, enabling them to pilfer voting power from others, will be eliminated. Consequently, the governance of Tornado Cash’s DAO will revert to token holders.

At the time of writing, TORN is trading at $4.81, up by around 2% over the past day. The token is, however, down by more than 24% over the past week.

