Tornado Cash Governance Hijacked By Attacker Through Malicious Proposal


An attacker has added to the earlier roadblocks that exist at Tornado Cash, a decentralized crypto mixer, as they managed to gain full control of the governance of the mixes through a crypto proposal that was later deemed to be malicious.

On 20th May, the attacker managed to grant 1.2 million votes to a seemingly malicious proposal. Since it was estimated that the proposal received close to 700,000 legitimate votes, the attacker soon went on to gain complete control over the governance of the mixer. The information about the hijack was shared by a user of the research-driven technology investment firm Paradigm, where it was revealed that the malicious proposal used a logic that was similar to a proposal that had been passed previously by the community. Yet, this time around, the proposal had a completely different function. 

Tornado Cash Experienced Major Exploit

The total control over the governance of Tornado Cash has allowed the attacker to withdraw all of the locked votes, wherein they further drained all of the tokens from the governance contract, and then bricked the router.

The attacker then withdrew 10,000 votes as TORN, and then managed to sell them all. This attack is a glaring reminder to the crypto investors to vet proposal logic and descriptions. One of the active community members of the community, Mr. Tornadosaurus Hex, went on to confirm that all the funds in Governance have been compromised potentially- wherein he requested all of the members to withdraw all the funds which were locked in governance.

The Tornado Cash team is also currently in search of developers of Solidity, who would be able to help save the protocol from complete extinction.