Popular Crypto Mixer Tornado Cash Hacked, Governance Compromised, and $2.1M TORN Token Stolen
Attacker Gains Control
An attacker has taken control of the governance of popular crypto mixer, Tornado Cash, after deploying a malicious contract to access thousands of votes. The attacker had deployed a fraudulent proposal that was passed earlier with added functionality that was not disclosed. They then implemented the emergencyStop function, updated the proposal logic, and granted themselves 1.2 million fake votes. As the attacker’s votes are more than 700,000 legitimate ones, they now have full control of the crypto mixer’s governance. This means that they can withdraw all locked votes, drain tokens in the governance contract, and brick the router.
Proposed Solution
A member of the Tornado Cash community suggested a solution to this breach. The proposed solution for the attack is to revert the state changes in the contract. The community member has deployed a contract that can carry out this function. However, they have urged users to withdraw their assets locked in the contract as soon as possible.
$2.1M worth TORN Tokens Stolen
Shortly after taking hold of Tornado Cash’s contract, the attacker drained 473,000 TORN, the mixer’s native token, worth more than $2.1 million from the governance contract. The bad actor sold the assets on-chain and deposited the profits back into Tornado.
Tornadosaurus-Hex, an active member of the Tornado Cash community, confirmed that the attack had compromised all funds in governance and asked all members to withdraw their assets locked in the contract.
Lessons Learned
As proposal descriptions and logic can lie, users need to be careful what they vote for. If they are depending on the verified source code to remain the same, they should ensure the contract does not have the ability to self-destruct.