A malicious hacker has reportedly removed and sold locked governance votes from Crypto Mixer, Tornado Cash. A report from on-chain analyst EmberCN revealed that a total of 483,000 TORN tokens have been drained from the vault.
The report claimed 6,000 TORN were deposited on the Bitrue exchange, 379,000 TORN were sold on-chain for $680,000 in Ether, and approximately 100,000 TORN remained with the attacker.
How Did the Attack Occur?
According to the update, the attacker managed to push through a malicious offer from the Tornado Cash DAO, giving them complete control over the governance system.
Notably, the governance system of Tornado Cash plays a crucial role in enabling token holders to participate in the decision-making process and shape the future of the protocol.
Token holders have the opportunity to vote on submitted proposals. Each token holder typically has a voting power proportional to their token holdings. However, Twitter user, Samczsun revealed that the attacker successfully obtained 1,200,000 votes using a fraudulent proposal, surpassing the legitimate votes of approximately 700,000.
Consequences of the Attack
An attack of this type can seriously harm Tornado Cash’s trust and reputation. Users and the broader community may lose faith in the protocol’s security and integrity, resulting in decreased usage, withdrawal of cash, and unfavorable sentiment toward the project.
The incident and its aftermath may cause communal division and conflict. Different factions within the community may hold opposing views on responding to the attack and recovering from its aftermath, perhaps resulting in conflicts and division.
Following the attack, Wu Blockchain revealed on Twitter that Binance will temporarily stop accepting TORN deposits. However, Justin Sun said on Twitter that deposits and withdrawals of the token remain open on Huobi.
Mitigating the Attack
Stricter access controls and permission processes can help reduce the possibility of illegal access to locked votes. This could include demanding multi-factor authentication, requesting additional verification for essential operations, or imposing robust controls on governance actions.
Tornado Cash is a decentralized protocol designed to improve the anonymity and fungibility of Ethereum. Its goal is to provide consumers with a dependable, non-custodial alternative for improving transaction privacy and removing the link between sender and recipient addresses.
However, in August, Tornado was sanctioned by the US Treasury Department for laundering nearly $7 billion. As part of the sanctions, all Tornado assets owned by Americans were frozen.