Troubled privacy-focused coin mixer Tornado Cash suffered an exploit of sorts over the weekend after an attacker(s) deployed a malicious proposal that gave them complete control over its governance system. The proposal was passed by the Tornado Cash decentralized autonomous organizations (DAO), which facilitates governance affairs on the Ethereum mixing service. The perpetrator had disguised the attack using the same logic as a proposal passed on May 18 but embedded in it a code granting them 1.2 million votes.
The attacker effectively gained governance control after exceeding the 700,000 legitimate votes and leveraged this to drain locked votes under Tornado Cash DAO. Records indicate that the attacker first withdrew 10,000 votes as TORN tokens, dumping them for $25,600 before draining the remaining votes. Pseudonymous on-chain analyst EmberCN posted on Twitter that the attacker managed to walk away with 483,000 TORN tokens, exchanging a significant chunk (379,000 TORN) for 372 Ether tokens worth $680,000.
Tornado Cash attacker submitted a proposal to partially ‘undo’ attack
Late Sunday, the attacker submitted a proposal reverting governance control as detailed in a more recent post on the community forum.
“The [Tornado Cash] attacker posted a new proposal to restore the state of Governance. I think that there is a good chance he’s going to execute it,” a community member wrote on the forum page.
The price of TORN, which had plunged as the news of the attack broke from a high of $7.3 on Saturday to as low as $3.75, bounced to around $4.85 on account of the latter news. The token price recovery was also likely boosted by the nature of the attack considering it didn’t target the protocol, smart contracts or technology related to the operation of the mixer.
TORN/USDT price chart. Source: TradingView
Some observers, however, raised concerns about the proposal purporting to revert the damage while questioning the attacker’s motives. The active member, Tornadosaurus-Hex, also tried to deploy a contract that could revert the changes while clarifying that the governance members have no choice in whether the proposal passes.
“I mean note that we don’t even have a choice in regards to this proposal, but it is still important nonetheless.”
The outcome of the attacker’s proposal remains unclear, but given that the attacker has control of TORN governance tokens, the proposal is likely to pass when the voting period elapses on May 26. Execution of this proposal will see Tornado Cash DAO governance handed back to holders of the TORN token.
Latest on-chain records show that wallet addresses linked to the Tornado Cash DAO attacker appeared to have moved 100 ETH and 38,302 TORN late Wednesday. The still unidentified attacker carried out two transactions leveraging the funds-obfuscating Tornado Cash protocol per Etherscan data remaining with over 20 ETH tokens.
The incident involving Tornado Cash DAO comes three weeks after DeFi protocol 0VIX lost roughly $2 million in a flash-loan exploit, elevating concerns about the security of decentralized systems. Blockchain security firm CertiK ruled out “a respite in exploits, flash loans or exit scams” while forecasting a swell in ill-natured events involving cross-chain bridges. Earlier this month, decentralized exchange Level Finance saw a security breach in which the attacker drained over 214,000 of the exchange’s native (LVL) tokens. While the magnitude of crypto hacks in terms of funds stolen has seen a slight reprieve thus far this year, industry experts still call for robust security measures within the cryptocurrency sector.
Lull in crypto hacks could be a slight relief, TRM Labs says
A recently published report from blockchain intelligence firm TRM Labs indicated that the sum of funds lost to exploits in Q1 2023 was significantly lower than lost in any quarter in 2022. The May 22 report noted that almost 40 attacks happened in the first quarter, leading to losses of around $450 million. The analytics firm also highlighted that the average hack size fell by almost two-thirds in the period while victims recouped over half of the stolen funds.
Still, the authors cautioned that the slump in crypto hack activity could be a short-lived break disguised as a long-term trend referencing Q3 2022, when hacks cooled before spiking in the last quarter. Notably, last year saw a record-setting number of crypto hacks as the $3.8 billion figure of crypto losses surpassed $3.3 billion lost in 2021.
Intelligence and risk management firm Chainalysis observed in its crypto crime report earlier this year that spikes in hack activity were observed in March and October, with $775.7 million lost in the latter month to more than 30 separate attacks. The researchers at TRM Labs didn’t attribute the decline in hacking activity in Q1 to any particular cause. They, however, opined that the sanctioning of Tornado Cash and the legal action taken against Avraham Eisenberg, who exploited Mango Markets via an oracle price manipulation, dispirited malicious actors.
Motion seeking to annul the US sanction on the mixer gets going
Eisenberg, who siphoned funds from Solana-based decentralized exchange Mango Markets mid-October while describing the exploit as a “highly profitable trading strategy,” was arrested in Puerto Rico last December. Though Eisenberg returned a chunk of the funds, the US markets regulator (SEC) charged him with commodities fraud and violating market manipulation rules in securities laws. The DeFi trading platform also sued Eisenberg seeking seeks $47 million in damages.
Tornado Cash, on the other hand, got sanctioned in August 2022 by the US Treasury OFAC, which alleged that the mixer’s service aided North Korean hackers in laundering illicit gains. Last year, a group of six crypto enthusiasts filed a motion seeking to lift sanctions on the privacy-preserving tool.
The plaintiffs who have the support of Coinbase argued that the US Treasury Department has no authority to take action on the Tornado Cash ecosystem. The individuals delivered a four-point appeal in a formal complaint submitted to the US District Court, Western District of Texas, by last September. Last month, the group filed a motion for a partial summary judgment that would see the judge rule on some counts from its original filing while others proceed to trial.
Tornado Cash developer granted rights to question Chainalysis in his money laundering trial
Not long after Tornado Cash was sanctioned in the US, the protocol’s developer Alexey Pertsev was arrested in the Netherlands on orders of the Fiscal Information and Investigation Service. The privacy tool developer, who was released in April, currently awaits a hearing on his case centered around money laundering in the coming months.
Pertsev’s legal representative Keith Cheng impugned the evidence meant to prove his client’s links to criminal funds and challenged the explanation provided by the domestic financial crime enforcer. A Dutch court on Wednesday gave Pertsev dispensation to question, only in writing, popular analytics firm Chainalysis regarding its methods.
The post Tornado Cash DAO Attacker Moves Tokens as Motion Challenging Protocol’s Sanction Garners Support appeared first on Securities.io.
