An attacker recently gained complete control over the governance of the Tornado Cash DAO through a malicious proposal adopted by the decentralized cryptomixer. The future plans, funds and operation of the privacy-focused cryptocurrency mixer, Tornado Cash, were taken over by an individual or group of unknown attackers on Saturday.
Tornado Cash is a cryptocurrency mixing service that runs on the Ethereum network and was recently sanctioned by the US Treasury Department. A DAO, or Decentralized Autonomous Organization, allows all token holders to lock their holdings as their votes for proposing changes to a project.
At the beginning of this weekend, the attacker got the malicious proposal that potentially affected the code function, giving them fake votes that could now be used to control certain aspects of Tornado Cash. DAO, including TORN tokens, are held in the master control contract or locked TORN token withdrawals. Tornado Cash’s operating system manages the protocol’s upgrades, which are primarily performed by the token holders of the project’s TORN tokens.
On May 20, the operating system approved an upgrade similar to the previous one that had already been implemented. But that was not true, because the unknown attacker had introduced an additional feature, as tweeted by Samczsun, a so-called security researcher. He also tweeted that the attackers now have all the votes and complete freedom to do whatever they want. In this case, they chose to take 10,000 votes as TORN tokens and sell them all.
After making the upgrade, the attacker used the feature to transfer an additional 1.2 million votes, giving them complete control over the entire operating system. The 10,000 votes in TORN tokens were sold for $25,600 and the remaining locked votes were cleared. A total of 483,000 TORN tokens were withdrawn from the vault, as reported by EmberCN. About 6,000 TORN tokens were reportedly deposited on Bitrue, a popular crypto exchange, and 379,000 were sold on-chain for Ether worth $680,000. The remaining tokens were under the control of the attackers, about 100,000 TORN tokens.
This attack had no actual impact on the Tornado Cash protocol, which allows users to transfer funds through the service to disguise or disguise the movement of money and digital addresses. This attack did not use the technology or smart contracts surrounding the operation of Tornado Cash.