Tornado Cash Governance Compromised by Attackers Malicious Proposal

A recent incident has added to the challenges faced by the decentralized crypto mixer, Tornado Cash, as an attacker successfully hijacked the governance through a malicious proposal.

On May 20 at 3:25 ET, the attacker managed to grant 1.2 million votes to their proposal, taking advantage of more than 700,000 legitimate votes to gain full control over Tornado Cash's governance.

The attacker shared the malicious proposal, claiming it had a similar logic to a previously approved proposal by the community. However, this time, the proposal included an additional function.

With complete control over Tornado Cash governance, the attacker has the ability to withdraw locked votes, drain tokens in the governance contract, and potentially disrupt the router. At present, the attacker has already withdrawn 10,000 votes as TORN and sold them.

This incident serves as a reminder for crypto investors to carefully evaluate proposal descriptions and logic. The Tornado Cash community, known as Tornadosaurus-Hex or Mr. Tornadosaurus Hex, has advised all members to withdraw their locked funds from governance as they may be compromised.

The Tornado Cash team is actively seeking Solidity developers to assist in saving the protocol from potential extinction. They have also expressed the need to establish contact with Binance, as the exchange holds more tokens than the attacker.

In the meantime, a former Tornado Cash developer is working on building a new crypto mixing service from scratch, aiming to address the existing "critical flaw" in Tornado Cash. The developer hopes this solution will empower the community to defend against hackers without compromising on crypto ideals or requiring excessive regulation.