A hacker has managed to take control of the governance of the Tornado Cash mixer through a malicious proposal. Will this event cause the end of the protocol?
Tornado Cash Governance Undergoes a Hack
It was an original attack to say the least that hit the Tornado Cash protocol this weekend. Indeed, a hacker managed to take control of governance, thanks to a malicious proposal. In a Twitter thread, Paradigm researcher @samczsun explained how the events unfolded:
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— @samczsun.com (@samczsun) May 20, 2023
The procedure is quite technical, but let’s try to summarize it simply and explain the consequences. First, the proposal would have been similar to a previously adopted proposal, except that it contained a function that, once validated by governance, allowed the attacker to modify critical points to give himself fake votes.
Thus, the hacker was able to grant himself 1,200,000 votes while the governance had about 700,000 legitimate ones. As a result, this action then given control over said governancefor example opening the way to the theft of TORN tokens which were notably deposited in the polls of this one.
👉 To go further — Find our guide on best practices to limit the risk of hacking
The best way to secure your cryptocurrencies?
? Buy, trade, grow and manage over 5,500 cryptos
🎧 Listen to this article and all other crypto news on Spotify
Is this the end of the protocol?
While Tornado Cash had already seen its sustainability take a hit after the Office of Foreign Assets Control (OFAC) sanctions in August 2022, this new pitfall again puts the protocol at risk, at least in its form. current.
Note that a priori, deposit pools used to anonymize funds do not appear to be in danger. In fact, the PeckShield alerts account even noted that the hacker had himself used the application to launder the funds he had stolen, which includes, for example, around 380,000 TORN exchanged for 372 ETH:
#PeckshieldAlert Tornado Cash Governance Exploiter has deposited 6K $TORN to #Bitrue. And swapped ~380K $TORN for $ETH and then transferred 372 $ETH into Tornado Cashhttps://t.co/3fEa1kYFaz pic.twitter.com/BzqagupO5c
—PeckShieldAlert (@PeckShieldAlert) May 21, 2023
According to MistTrack, SlowMist’s on-chain tracking unit, more than 483,000 TORNs were stolen in the attack:
💸 The remaining $TORN was exchanged for ETH using @1inch and then deposit into https://t.co/FRBMx1wIMz
Hacker Address: https://t.co/TT9DItDB6T
— MistTrack🕵️ (@MistTrack_io) May 21, 2023
At the current price, that’s almost $2.25 million. But this data is actually skewed, given that the token has lost 27.2% over the past 24 hours, and that the attacker has made many moves since taking control. With a daily high of $7.29 on Saturday, its price plunged to $3.55 after the attack, and is currently trading at $4.62.
When writing these lines, the hacker’s address still hosted 97,700 TORN tokens.
On his side, Binance has temporarily paused the listing of the assetpending more visibility on this case.
If it is usually the smart contracts of the applications themselves that are targeted by hackers, such an event raises awareness that the points of attack on a protocol can be found at different levels of its architecture. On the side of Tornado Cash specifically, the next few days will probably give more leads to judge its survival or not.
👉 Also in the news — Three Arrows Capital: 7 NFTs sold at auction for nearly $2.5 million
Our service dedicated to cryptocurrency investors. Get real-time analytics and optimize your crypto portfolio.
Newsletter 🍞
Receive a summary of crypto news every Monday by email 👌
What you need to know about affiliate links. This page presents assets, products or services relating to investments. Some links in this article are affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no impact on you and you can even get a bonus by using our links.
Investments in cryptocurrencies are risky. Cryptoast is not responsible for the quality of the products or services presented on this page and could not be held responsible, directly or indirectly, for any damage or loss caused following the use of a good or service highlighted in this article. Investments related to crypto-assets are risky by nature, readers should do their own research before taking any action and only invest within the limits of their financial capabilities. This article does not constitute investment advice.
AMF recommendations. There is no guaranteed high return, a product with high return potential involves high risk. This risk-taking must be in line with your project, your investment horizon and your ability to lose part of this savings. Do not invest if you are not ready to lose all or part of your capital.
To go further, read our Financial Situation, Media Transparency and Legal Notices pages.