An analyst from tech investment firm Paradigm made a remarkable claim about the Tornado Cash platform and its altcoin TORN.
Tornado Cash, a platform that allows users to send and receive Ethereum anonymously, has suffered a massive administration attack that put its future in jeopardy.
An anonymous attacker managed to create and get accepted a proposal that gave him 1.2 million votes and full control over the management of the platform.
Tornado Cash Platform Attacked, Allegedly Attacker Takes Control of TORN Altcoins
The attack took place on May 20, at 10:25 am, when the attacker submitted a proposal claiming to use the same logic as a previous proposal approved by the community.
However, the proposal contained a hidden function that allowed the attacker to update the proposal structure after the proposal had passed. The attacker then used this function to cast false votes on themselves, exceeding the total number of legitimate votes (~700,000).
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— @samczsun.com (@samczsun) May 20, 2023
With these votes, the attacker can now perform various malicious actions, such as withdrawing all locked votes, dumping all tokens in the management contract, and locking the router. However, they still cannot empty their individual token pools, which means users' funds are safe for now.
The attacker has already withdrawn 10,000 votes as TORN tokens and has sold them on the market, causing the TORN price to drop significantly.
This event highlights the importance of being careful when voting for proposals on decentralized platforms. Users should not only rely on the offer descriptions or verified source code, but also check if it has any functionality that could alter the logic of the contract or self-destruct. Otherwise, they may have voted for something they didn't want.
*Not investment advice.