Attacker hijacks Tornado Cash governance via malicious proposal

Attacker hijacks Tornado Cash governance via malicious proposal


Adding to the existing roadblocks of the decentralized crypto mixer Tornado Cash, an attacker managed to gain full control of the governance through a malicious proposal. 

On May 20 at 3:25 ET, an attacker successfully granted 1.2 million votes to a malicious proposal. Given that the proposal received more than 700,000 legitimate votes, the attacker gained total control over Tornado Cash governance.

The information was shared by @samczsun of research-driven technology investment firm Paradigm, who revealed that, when sharing the malicious proposal, the attacker claimed that it used a logic similar to a proposal that had previously passed by the community. However, this time, the proposal had an additional function. 

Ledger

As explained by @samczsun:

“Once the proposal was passed by voters, the attacker simply used the emergencyStop function to update the proposal logic to grant themselves the fake votes.”

The total control over Tornado Cash governance allows the attacker to withdraw all of the locked votes, drain all of the tokens in the governance contract and brick the router. At the time of writing, the attacker “simply withdrew 10,000 votes as TORN and sold it all,” said @samczsun.

The attack comes as a reminder to crypto investors to vet proposal descriptions and logic. An active community of Tornado Cash, who goes by the name Tornadosaurus-Hex or Mr. Tornadosaurus Hex, confirmed that all funds in Governance are potentially compromised and requested all members to withdraw all funds locked in governance.

As shown above, they also attempted deploying a contract that could potentially revert the changes while still suggesting the community to withdraw their funds. Cointelegraph also came across a distress call from one of Tornado Cash’s community developer who confirmed the above developments, stating:

“There was an attack on the protocol this morning that you already know about. All day, another community developer and I thought about what to do, but the situation is close to hopeless – currently the attacker controls Governance.”

The team is currently in search of Solidity developers that can help save the protocol from extinction. They additionally stated that “we need contact with Binance – this exchange has more tokens than the attacker.”

Related: Allbridge offers bounty to exploiter who stole $573K in flash loan attack

A former Tornado Cash developer is reportedly working on building a new crypto mixing service from scratch, which addresses the “critical flaw” existing in Tornado Cash.





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Crypto-Trend
Blockonomics
Crypto-Trend
Attacker hijacks Tornado Cash governance via malicious proposal
Ledger
Coinmama
Grove Deploys Janus Henderson CLO & Treasury Funds on Avalanche
GENIUS Act Spurs Shift to Payment Utility in Stablecoins
Dragonfly Capital Faces DOJ Threat Over Tornado Cash Ties
Firedancer’s Full Potential Lies Beyond Solana’s Network
XRP Ledger at Core of VERT’s Strategy for $500M in Tokenized Private Credit Pipeline
How to Set Up a Bitcoin Inheritance Plan to Protect Your Crypto
bitcoin
ethereum
tether
binancecoin
solana
ripple
usd-coin
staked-ether
dogecoin
binance-usd
Blockonomics
Bybit
RI Mining Free Cloud Mining App Is Officially Launched
XRP price hits $3.45 after breakout, technical signals show rally may extend
SEC approves Grayscale’s conversion of BTC, ETH, SOL, XRP fund into an ETF
Bitcoin’s Hashrate Brushes All-Time High as Miners Close in on June Peak
PayPal to Enable Businesses to Accept Bitcoin, Ethereum and Other Cryptocurrencies
RI Mining Free Cloud Mining App Is Officially Launched
XRP price hits $3.45 after breakout, technical signals show rally may extend
SEC approves Grayscale’s conversion of BTC, ETH, SOL, XRP fund into an ETF
Bitcoin’s Hashrate Brushes All-Time High as Miners Close in on June Peak
bitcoin
ethereum
tether
binancecoin
solana
ripple
usd-coin
staked-ether
dogecoin
binance-usd
bitcoin
ethereum
tether
binancecoin
solana
ripple
usd-coin
staked-ether
dogecoin
binance-usd