Tornado Cash DAO Seized by Attacker Through Vote Fraud, Token Plummets by 40%

CFTC Initiates Enforcement Sweep Targeting Opyn and Other DeFi Operations

Coinbase-Backed Insurance Disruptor OpenCover Launches on Layer 2 Blockchain

DeFi and Credit Risk

On Saturday, an unidentified attacker or group of attackers successfully gained control over The DAO responsible for managing operations, funds, and future strategies of Tornado Cash, a privacy-focused cryptocurrency mixer.

DAOs, which stands for decentralized autonomous organizations, empower token holders to securely lock their holdings as votes to propose and enact changes within a project. These changes can encompass a broad range of actions, including allocating treasury funds towards initiatives that benefit the project or facilitating expansion onto alternative networks.

At the beginning of the weekend, the assailant introduced a deceitful proposal containing a concealed code function, enabling them to generate fraudulent votes. These votes can now be utilized to manipulate various operations within Tornado Cash, including the management of torn (TORN) tokens held in the primary governance contract or the release of locked torn tokens.

The attacker employed a method of submitting a proposal that mimicked a previous version, but with the addition of malicious code. This code facilitated the modification of the underlying logic, granting the attacker unrestricted access to all governance votes.

“Now that they have all the votes, they can do whatever they want,” security research @samczsun tweeted on Sunday. “In this case, they simply withdrew 10,000 votes as TORN and sold it all.”

 

Therefore, it is important to note that this attack has no direct impact on the functionality of the Tornado Cash protocol. The protocol itself enables users to utilize the service for the purpose of obfuscating the flow of funds and crypto addresses. It is crucial to emphasize that this attack does not involve the exploitation of any smart contracts or technology associated with the operation of Tornado Cash.

In the meantime, the Tornado Cash community has introduced recent proposals aimed at undoing the modifications made to the code. A community member has discovered that the attacker deliberately generated more than 1 million torn tokens, which equates to a value exceeding $4 million based on current prices.

Alternative proposals included creating a fresh agreement and distributing new tokens to existing holders through an airdrop mechanism.

According to data, Torn prices experienced a significant decline of up to 40% in the last 24 hours due to the governance attack.