Malevolent Attacker Seizes Control of Tornado Cash’s Governance by Means of a Nefarious Proposal

By gaining complete control over Tornado Cash governance, the attacker exercises authority to withdraw all locked votes, deplete all tokens held in the governance contract, and render the router inoperable.

In addition to the existing challenges faced by the decentralized crypto mixer Tornado Cash, an attacker successfully took over the governance system by submitting a harmful proposal.

On May 20 at 3:25 ET, someone managed to give 1.2 million votes to a harmful proposal, taking advantage of the fact that the proposal had already received over 700,000 valid votes. This allowed the attacker to gain complete control over Tornado Cash’s governance.

@samczsun from Paradigm, a research-driven technology investment firm, shared the information. According to him, the attacker claimed that they based their malicious proposal on a previously approved proposal using a similar approach. However, this time, the attacker included an extra function in the proposal.

After the proposal was approved by the voters, the attacker easily manipulated the situation by using the emergency Stop function to modify the proposal logic and give themselves fake votes.

Having full control over Tornado Cash governance enables the attacker to withdraw all locked votes, drain all tokens stored in the governance contract, and render the router inoperable. Currently, the attacker has easily withdrawn 10,000 votes as TORN and sold all of it, as mentioned by @samczsun.

Centered JavaScript

Furthermore, the attacker made an effort to deploy a contract that might undo the modifications made, while simultaneously advising the community to withdraw their funds. Cointelegraph also discovered a plea for help from a developer within Tornado Cash’s community, who confirmed these events.

Earlier today, the protocol experienced an attack that you’re likely aware of. Throughout the day, another developer and I contemplated our options, but the situation appears quite dire. Presently, the attacker has full control over Governance, leaving us with limited hope for resolving the situation.

The team is actively seeking Solidity developers who can assist in saving the protocol from potential demise. They have also emphasized the importance of establishing contact with Binance, as this exchange possesses a greater number of tokens compared to the attacker.

According to reports, a former Tornado Cash developer is currently working on creating a brand new crypto mixing service from the ground up. This new service aims to fix the “critical flaw” that exists in Tornado Cash.

The developer hopes the solution will empower β€œthe community to defend against hackers abusing the anonymity sets of honest users without requiring blanket regulation or sacrificing on crypto ideals.”

Important: This article is intended solely for informational purposes. It should not be considered or relied upon as legal, tax, investment, financial, or any other form of advice.


  • Salim

    "Salim is a news writer at CryptosHeadlines who creates excellent, well-optimized content to ensure user satisfaction. He is skilled in forecasting News About Cryptocurrency Market & blockchain Industry."

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *