Tornado-cash attacker makes proposal to restore governance control, torn-down 40 % in 2 days
Tornado-cash attacker makes proposal to restore governance control, torn-down 40 % in 2 days
The popular crypto mixer Tornado Cash lost complete control over his governance to an attacker who started a malicious contract to get thousands of voices. The incident was first discovered by @samczsun, a researcher of the investment company Paradigm focused on Web3, a researcher.
according to Samczsun twittering, the attacker claimed when creating his patient proposal To have used the same logic as a proposal previously adopted without disclosing that he had added an additional function.
In a recent development, however, the attacker has "published a new proposal for the restoration of the government," says a contribution in the mixer community forum.
the tornadocash attacker presented a new proposal, which, if it were carried out, would apparently make up for the damage that was inflicted on governance functionality. Either it is giga trolling, or in the end it will be an expensive but not catastrophic lesson in terms of governance.
- 0xdeadf4ce (@0xdface) 21. May 2023
attacker confiscates Tornado Cash Governance
Immediately after the voters from Tornado Cash had accepted the proposal, the exploitor implemented the emergency room function and updated the proposal logic to grant 1.2 million fake voices. The attacker has more than 700,000 legitimate voices, so that he has gained full control over the governance of the crypto mixer.
With complete control, the attacker can do what he wants, e.g. For example, all blocked voices withdraw, empty all tokens in the governance contract and block the router. However, you cannot drain individual pools.
"Finally: What can we learn from it? Be careful what you vote for! We all know that offer descriptions can lie, but the offer logic can also lie! If you are dependent on the fact that the verified source code remains the same, make sure that the contract does not have the ability to make self -destruction," warned Samczsun.
over $ 2.1 million stolen on torn tokens
According to a tweet of the web3 media group, the exploitor pulled shortly after the contract with Tornado Cash 473,000 torn-the native token of the mixer-worth more than $ 2.1 million from the governance contract from
Tornadosaurus-Hex, an active member of the Tornado Cash community, confirmed that the attack had compromised all funds in governance, and asked all members to withdraw their assets secured in the contract. While Tornadosaurus-Hex urges users to withdraw their funds, it has also tried to provide a contract that could undo the changes. "A proposed solution for the attack, which may be realized, is to reverse the changes in the state that the attacker has made on the contract. For this reason, I have provided a contract that should do this. Please check it and suggest if possible.
Something expected fell the native token of the project after the message appeared. Torn jumped to $ 7.3 on May 20, but lost about 40 % of his value in the following days and is now $ 4.5. .
Kommentare (0)