Hackers Steal $1M From Tornado Cash, Then Propose to Fix Governance Takeover

Malicious Governance Takeover Allowed Tornado Cash Hacker To Steal $1M

By: Samuel Haig Loading...

Hackers Steal $1M From Tornado Cash, Then Propose to Fix  Governance Takeover

In a turn of events that can only happen in crypto, the hacker who exploited Tornado Cash, a protocol that enables private cryptocurrency transactions, is proposing to patch the attack that allowed them to drain an equivalent of about $1M in tokens.

On Friday, the hacker stole more than $1M in assets from the protocol after concealing malicious code in a governance proposal that went undetected by the community. Two days later, the hacker proposed to patch that attack.

Voting is scheduled close either Friday night or early Saturday morning, however, there is no guarantee the proposal will execute. Users can still withdraw funds from the protocol.

The incident highlights the vulnerability of token-based governance when the community of a web3 project fails to examine newly proposed governance measures with a fine-tooth comb. The tale is as old as DAOs, with The DAO, the first experiment in decentralized organizations on Ethereum, suffering a catastrophic $150M hack in 2016 when a hacker exploited unintentional vulnerabilities in the project’s code.

TORN Dives

The price of TORN, Tornado Cash’s native token, is down 7.5% in 24 hours after driving a 10% rally on Sunday, after the hacker proposed the fix. However, TORN remains down 32% since the weekend began.

The drop comes after a 85% plunge since August 2022 when the U.S. Treasury Department took the unprecedented move of sanctioning its code. The protocol was added to the agency’s list of Specially Designated Nationals, making it illegal for U.S. residents to interact with the protocol.

Crypto Mixer

Tornado Cash is an Ethereum-based protocol designed to offer users on-chain privacy, known as a mixer.

The protocol obfuscates a user’s transaction history by sending assets via the protocol to a new address. The transfer is executed through a complicated web of smaller transactions, making it difficult for blockchain sleuths to untangle the movement of funds sent using Tornado Cash. Decentralized liquidity providers earn a fee in exchange for providing capital to facilitate the transactions.

Attack Mechanics

The attack consisted on the hacker making a proposal to Tornado Cash governance, where they added an extra function that allowed them to grant themselves 1,200,000 votes.

The fraudulent votes significantly outnumbered the 700,000 legitimate votes issued to TORN stakers, allowing the hacker to execute governance proposals at whim and access the funds held in the governance contract.

From there, they were able to withdraw 100,000 TORN tokens and 360 ETH, stacking about $1M in stolen funds. Ironically, the hacker used Tornado Cash to obscure the destination of 360 ETH they obtained by selling stolen TORN tokens.

Separately, there is another $1M at risk in Tornado Cash Nova, a Gnosis Chain-based deployment of the protocol. It would take seven days to execute a proposal draining that contract, so users with funds there are still on time to withdraw.

Reversing the Attack

And there is an even brighter glimmer of hope – on Sunday Tornadosaurus-Hex, a Tornado Cash community member, flagged that the attacker launched a proposal that would reset their voting power from 1.2M to 0. The move would relinquish their control over the protocol’s governance.

The hacker still has full control over votes on this proposal, which will be approved or rejected around May 26 and currently has 517k votes in favor, according to Twitter user, 0xdeadf4ce.

“Either they're giga trolling or it will end up being an expensive but not disastrous lesson in Governance security,” they said.