Attacker Takes Over Tornado Cash DAO With Vote Fraud, Token Slumps 40%

A malicious proposal allowed an unidentified attacker to take over Tornado Cash, opening up the floodgates to a potential treasury drain.

AccessTimeIconMay 21, 2023 at 8:19 a.m. UTC
Updated May 22, 2023 at 7:24 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The DAO handling operations, funds and future plans of privacy-focused crypto mixer Tornado Cash was effectively taken over by an unidentified attacker, or group of attackers, on Saturday.

DAOs, short for decentralized autonomous organizations, allow token holders to lock up their holdings as votes for proposing changes to a project. These changes can range from deploying treasury funds to purposes that benefit the project to expansion on other networks.

At the start of the weekend, the attacker floated a malicious proposal that hid a code function that granted them fake votes that can now be used to handle some aspects of Tornado Cash, such as torn (TORN) tokens held in the main governance contract or withdrawal of locked torn tokens.

This was done by putting forth a proposal that imitated an earlier version – except with some malicious code that allowed for the update of logic that gave the attacker access to all governance votes.

“Now that they have all the votes, they can do whatever they want,” security research @samczsun tweeted on Sunday. “In this case, they simply withdrew 10,000 votes as TORN and sold it all.”

As such, this attack does not impact the actual Tornado Cash protocol – which allows users to pass funds through the service to mask or obscure the movements of funds and crypto addresses. This attack was not an exploit of any smart contracts or technology related to the working of Tornado Cash.

Meanwhile, the Tornado Cash community has put up newer proposals that seek to revert changes made to the code. One community member observed that the attacker had maliciously minted over 1 million torn for themselves, worth over $4 million at current prices.

Others suggested making a new contract altogether and airdropping new tokens to holders.

Torn prices slumped as much as 40% in the past 24 hours as a result of the governance attack, data shows.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Read more about