In an unfortunate turn of events, Tornado Cash, the decentralized cryptocurrency anonymizer, fell victim to an orchestrated assault that gave an attacker total governance. The assailant cleverly manipulated a proposition to their advantage, leveraging malicious intent to gain complete control.
The incident unfolded on the morning of May 20, when the perpetrator successfully maneuvered a craftily designed proposal to secure an astonishing 1.2 million votes. This dubious proposal, supplemented by over 700,000 genuine votes, effectively handed over the reins of Tornado Cash's governance to the attacker.
This startling development was brought to light by @samczsun, a Twitter user and member of Paradigm, an investment firm focusing on technology research. While disseminating the harmful proposal, the attacker claimed it to be similar in logic to a proposal previously approved by the community, with one vital exception — it included an extra function.
He tweeted, "Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control."
In seizing total control of Tornado Cash's governance, the attacker could extract all the votes locked in the system, siphon off all tokens held in the governance contract, and critically disable the router. As per the latest reports, the assailant has already "cashed out 10,000 votes, converting them to TORN and offloading the entirety."
Meanwhile, in an attempt to respond to this incident, a former developer from Tornado Cash has reportedly taken on the challenge of creating a fresh crypto mixing service. This new venture is set to tackle the severe loophole that exists in Tornado Cash, potentially ushering in a safer future for the platform's users.
Comment 0