On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.
openchain.xyz/trace/ethereum…
First, what does this mean for Tornado Cash?
Through governance control, the attacker can:
- withdraw all of the locked votes
- drain all of the tokens in the governance contract
- brick the router
However, the attacker still can't:
- drain individual pools
Next, how did this happen?
Well, when the attacker created their malicious proposal, they claimed to have used the same logic as an earlier proposal which had passed. However, that wasn't exactly the truth, because they added an extra function
etherscan.io/address/0xC503…
Once the proposal was passed by voters, the attacker simply used the emergencyStop function to update the proposal logic to grant themselves the fake votes
openchain.xyz/trace/ethereum…
openchain.xyz/trace/ethereum…
Now that they have all the votes, they can do whatever they want. In this case, they simply withdrew 10,000 votes as TORN and sold it all
openchain.xyz/trace/ethereum…
Finally, what can we learn from this?
Be careful what you vote for! While we all know that proposal descriptions can lie, proposal logic can lie too! If you're depending on the verified source code to stay the same, make sure the contract doesn't have the ability to selfdestruct
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.