Attacker Takes Over Tornado Cash DAO
On Saturday, an unidentified attacker, or group of attackers, effectively took over the DAO in charge of Tornado Cash’s operations, funds, and future.
At the start of the weekend, the attacker circulated a malicious proposal that concealed a code function that granted them fake votes, which can now be used to handle some aspects of Tornado Cash, such as torn (TORN) tokens held in the main governance contract or the withdrawal of locked torn tokens.
This was accomplished by submitting a proposal that resembled an earlier version – except for some malicious code that allowed for the updating of logic, granting the attacker access to all governance votes.
“Now that they have all the votes, they can do whatever they want,” security research @samczsun tweeted on Sunday. “In this case, they simply withdrew 10,000 votes as TORN and sold it all.”
As such, this attack does not impact the actual Tornado Cash protocol – which allows users to pass funds through the service to mask or obscure the movements of funds and crypto addresses.
(With inputs from Shikha Singh)
You need to login in order to Like
