This past weekend, the DAO, Tornado Cash, received a malicious governance attack that ended up plunging the Torn token by more than -40%.
This Saturday, the DAO (Decentralized Autonomous Organization), Tornado Cash, suffered a governance attack by one or more hackers. Through a malicious proposal, the attackers managed to take control of the organization. The result could be opening a cash drain.
Thus, the management operations of this DAO, as well as the funds and future plans, passed into the control of the unidentified attacker. According to CoinDesk, DAOs allow token holders to lock up their holdings as votes for proposing changes to a project, which can range from deploying treasury funds to purposes that benefit the project to expansion on other networks.
Either way, this Saturday, the attacker managed to submit a malicious proposal with a hidden code feature that now puts him in complete control. The latter through false votes that enable him to manage various aspects of the DAO.
Tornado Cash Seeks to Recover from Governance Attack
This governance attack suffered by Tornado Cash makes an effective recovery difficult since it deals with usurped votes. “Now that they have all the votes, they can do whatever they want,” a security researcher quoted in the same media said on Twitter.
Among the aspects that are now under the control of the attackers is the management of the Torn retained in the main governance contract. Basically, this was allowed through proposal submission. It imitated a previous version.
The big difference is that it contained malicious code that allowed an update of logic and gave the attacker control of all governance votes. “In this case, they withdrew 10,000 votes like Torn and sold them all,” explains the aforementioned security researcher.
Consequently, this governance attack against Tornado Cash becomes very difficult to reverse due to the power gained by the attacker. The Tornado community thinks of some proposals that allow us to get out of the bad moment.
Some Characteristics of the Attack
Like all attacks carried out by hackers, this governance attack against Tornado Cash has one target: Money. In that sense, the attacker would have minted 1 million tokens (Torn) for him. These are worth $4 million dollars approximately.
It is important to keep in mind that this attack did not affect the current Tornado protocol, as it was not a breach of smart contracts or any sensitive technology for the operation of Tornado Cash.
In any case, the proposal sent today by an address linked to the attackers contemplates the elimination of the malicious code that the attacker integrated. This would restore the governance of the DAO. According to specialized portals, the proposal would be approved when the voting closes on May 26. However, it is not yet clear when it will be implemented if approved.
It is worth noting that this governance attack against Tornado Cash should be taken as a reminder of user security measures. In other words, before engaging in any DAO proposal, security and logic aspects should be considered.
The attack comes as a reminder to crypto investors to examine the descriptions and logic of the proposals. Maintaining high vigilance is critical for DAOs, as this can deter attackers, who choose more likely victims for themselves.
By Audy Castaneda
