A recent governance attack on the popular crypto mixer Tornado Cash has left investors and enthusiasts on edge. Attackers managed to gain full control over the platform’s governance by granting themselves 1.2 million votes through a malicious proposal. This number far exceeds the existing 700,000 legitimate votes. Consequently, the attackers have been withdrawing TORN from the Tornado Cash governance vault and trading it for Ethereum (ETH). The TORN price plummeted 35% to $3.7 within 24 hours.
In response, major crypto exchanges like Binance suspended TORN deposits on May 21 as a precautionary measure. However, other exchanges, such as Huobi Global and Poloniex, have chosen to continue allowing deposits and withdrawals. In the interim, Tornado Cash has urged users to withdraw their locked funds from governance as they work towards a resolution.
The Tornado Cash team was looking to start anew after facing US sanctions, the arrest of Alex Pertsev, and other issues, but the attack caught them off guard. They had noticed a potential exploit at the governance level but failed to take action because no TORN had been moved. The team was preoccupied with monitoring contracts being deployed after the proposal had passed, neglecting to realize the “self-destruct” call could be used for arbitrary code execution.
Researcher Samczsun from Paradigm revealed that Tornado Cash’s governance effectively failed on May 20. The attacker exploited the malicious proposal’s vulnerability, withdrawing all locked votes, draining TORN tokens from the governance vault, and bricking the router. Additionally, they were able to drain all ETH in pools by upgrading the contract as the recently launched Tornado Cash Nova on Gnosis Chain is a proxy.
As it stands, the attacker has deposited 6,000 TORN into Bitrue, swapped 380,000 TORN for ETH, and transferred 372 ETH into their Tornado Cash account. They still have some TORN remaining.
The TORN price has fallen by over 50% in the last day as the attackers withdraw tokens and sell them on exchanges and on-chain. For Tornado Cash, this marks a significant challenge as their compromised governance funds cast uncertainty over the project’s future. The introduction of precautionary measures has inevitably led to a loss of faith among some investors. However, with the Tornado Cash team actively working to revert the changes made by the attackers, perhaps the platform can eventually regain the trust necessary for long-term success.
In the ever-evolving world of cryptocurrencies, this incident serves as another reminder to always exercise caution and conduct thorough market research before investing.