Tornado Cash is the latest network to suffer an attack. On May 20, a Twitter user, @Samczsun, announced via a Twitter post that Tornado Cash governance no longer existed because an attacker granted themselves 1,200,000 votes, effectively taking over the network. The 1.2 million votes are 500 more than the officially recognized 700,000 legitimate votes. The implication of the attack was not lost on the crypto community: the attacker had control of the network.
Moved TORN tokens
In a subsequent post, @Samczsun said that the attacker was free to do what they wanted with the network since they controlled all the votes. They added,
“In this case, they simply withdrew 10,000 votes as TORN and sold it all.” But the attacker was not done with the network. They would later obtain
483,000 TORN from the network’s governance vault and move 6,000 TORN into the Bitrue exchange. 379,300 TORN were sold, generating 375 ETH for the hacker. This is about $680,000, leaving 97,700 TORNs.
Access to pool ether
Another Twitter user, @CellierLael, correctly observed that Tornado Cash Nova was deployed on the Gnosis chain as a governance-administered proxy, noting that the attacker can take control of the ETH in the pool by simply upgrading the contract.
Meanwhile, Binance has announced that it has stopped accepting TORN deposits because of the governance attack on Tornado Cash.
A turn around that could end well
TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they’re giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP
— 0xdeadf4ce (@0xdface) May 21, 2023
Things took a dramatic turn on Monday, when the wallet address associated with the attack put forth a proposal to revert back to the state of governance—a form of status quo. The announcement was made in the Tornado Cash forum by a member of the TC community, Tornadosaurus-Hex, who said that the attacker was restoring the tokens they gave to themselves during the attack. He added that the attacker was likely going to execute the new proposal.