Over the weekend, an unidentified attacker or group of attackers have taken over The DAO that handles all operations, funds, and future plans of Tornado Cash, a privacy-focused crypto mixer.
Decentralized autonomous organizations (DAOs) allow token holders to lock up their holdings as votes to propose changes to a project. These changes can range from deploying treasury funds to purposes that benefit the project to expansion on other networks.
The attacker floated a malicious proposal that hid a code function to grant them fake votes that can now be used to handle some aspects of Tornado Cash, such as torn (TORN) tokens held in the main governance contract or withdrawal of locked torn tokens. This was done by putting forth a proposal that imitated an earlier version, except with some malicious code that allowed for the update of logic, giving the attacker access to all governance votes.
As a result, the attacker now has all votes, which means that they have complete control over the DAO. Security researcher @samczsun tweeted on Sunday that “Now that they have all the votes, they can do whatever they want. In this case, they simply withdrew 10,000 votes as TORN and sold it all.” This is a serious issue that puts the future plans of the Tornado Cash DAO at risk.
However, it is important to note that this attack does not impact the actual Tornado Cash protocol. The protocol allows users to pass funds through the service to mask or obscure the movements of funds and crypto addresses. This attack was not an exploit of any smart contracts or technology related to the working of Tornado Cash.
Tornado Cash community has put up newer proposals seeking to revert changes made to the code. One community member observed that the attacker had maliciously minted over 1 million torn for themselves, worth over $4 million at current prices. Despite this, the community is determined to keep the Tornado Cash project going and is taking steps to ensure that such an attack does not happen again in the future.