DAO Offered Lifeline by Tornado Cash Attacker with Expensive Lesson Learned

DAO Offered Lifeline by Tornado Cash Attacker with Expensive Lesson Learned

The Tornado Cash attacker has submitted a proposal to revert the damage they caused to the project’s governance, highlighting the need for proper auditing and active review of proposals in decentralized autonomous organizations (DAOs).

Just days after taking over the project’s governance, the Tornado Cash attacker has submitted a new proposition to revert the damage they’ve caused.

On May 18, the Tornado Cash DAO accidentally voted in the malicious proposition after failing to properly audit its contents.

Tornado Cash is a privacy-preserving mixer on the Ethereum (ETH) network.

The attacker was then able to provides themselves 1.2 Million TORN crypto tokens, giving them control over the DAO. They then swapped 380,000 of the newly-gotten TORN crypto tokens for 372 Ethereum (ETH) and ran it back through the privacy protocol.

A DAO, or decentralized autonomous organization, is a way for a project to organize itself without the need for a specific company or individual to be in power. Governance tokens—such as Tornado Cash’s TORN token—are distributed to the community to make and vote on numerous proposals for the project in question.

The proposition had nothing to do with handing over crypto tokens to any members. Instead, it asked community members to vote for or against increasing the amount of staked TORN crypto tokens required to become a Tornado Cash relayer and penalize relayers trying to avoid having their stake slashed.

Launchpad XYZ: The Cryptocurrency Set to Skyrocket on Tuesday!

The attacker claimed to have the same logic as an earlier proposition that had already been passed.

Nonetheless, the malicious proposition added a self-destruct function which, once used, replaced the original proposition with a new, malicious one.

“Self devastation is, as one can imagine, one of the scariest things one can casually add as an additional function,” a smart contract engineer at Immunefi Gonçalo Magalhães informed Decrypt. “Changing the logic of a contract provides endless possibilities.”

With the malicious proposition now in place, the attacker was able to withdraw all locked governance votes and drain all the crypto tokens from the governance contract.

” In conclusion, the attacker drained the TRON crypto tokens from the governance vault meaning they then had all the voting power,” a spokesperson for security company PeckShield informed Decrypt. “They then swapped part of the stolen TORN for Ethereum (ETH) and deposited it into the Tornado Cash protocol.”

Ethereum Co-Founders Massive $41M Crypto Move Shocks Market

Shortly after the proposition was revealed to be malicious, another proposition was made to revert the changes.

“Because the attacker now has a bulk of voting power, governance mechanisms are essentially meaningless,” Magalhães said.

The attacker likewise submitted another new proposal that would return the TORN crypto tokens they had given themself.  After swapping 380,000 TORN for Ethereum (ETH), the attacker still holds 820,000 TORN crypto tokens, which means they still have total control over the DAO.

Twitter user 0xdeadf4ce has suggested, on the other hand, that this could all be a “gigatroll,” saying the new proposition to revert the changes was simply a means to boost the token’s price.

How do DAOs stay safe?

This sparked debate online about DAO proposals not being properly audited, if at all.

SEC declares popular crypto tokens as securities in Binance lawsuit

“This is not the 1st case of governance attack this year,” Snapshot’s head of growth Nathan van der Heyden informed Decrypt. “The Beanstalk governance attack is one of the largest hacks of the year, and this Tornado one is probably one of the most high-profile.”

In this case, the proposition was well-crafted to be non-descript and unsuspecting.

Numerous, if not all, voters would have simply cast their vote without diving deeper into the contract’s code.

“Auditing all critical processes is certainly a good measure, but we do not see it often being implemented,” Immunefi’s Magalhães informed Decrypt. “It is hard already to see comprehensive audits being done on all smart contract proxy upgrades.”

$XRP Price Faces Correction Threat: Will it Reach $0.45 Again?

A spokesperson at PeckShield confirmed that the company receives proposition audit requests and that they “believe many of famous protocols have their proposals audited.”

PeckShield declined to reveal who pays for proposition security audits or what projects opt to audit their proposals.

On the other hand, what’s a DAO to do?

“DAOs should promote   the active review of proposals and participation from holders. Essentially, malicious code like this should not go unnoticed by all DAO members,” Magalhães stated. “An individual voter should have a deep understanding of whatever they are voting for. On-chain proposals, though digital, are definitely real, and have real consequences.”

Although while this attack was crafty, anyone with a keen eye reviewing the code should have seen the self-destruct function. “A self- devastation function in a contract should have fired all headquarter sirens,” he said.

This attack should act as a learning lesson, albeit an expensive one, for DAOs and their members to prevent is still another governance attack from happening this year.

Coinbase Crashes as SEC Targets Binance

” We must generalized onchain governance frameworks that allow these exploits to be teaching moments to the community that then adapts their own frameworks to this new knowledge,” van der Heyden stated, “If we do not learn collectively, then we’re forced to repeat similar mistakes individually.”


Read Disclaimer
This page is simply meant to provide information. It does not constitute a direct offer to purchase or sell, a solicitation of an offer to buy or sell, or a suggestion or endorsement of any goods, services, or businesses. Lolacoin.org does not offer accounting, tax, or legal advice. When using or relying on any of the products, services, or content described in this article, neither the firm nor the author is liable, directly or indirectly, for any harm or loss that may result. Read more at Important Disclaimers and at Risk Disclaimers.

Follow us

Latest Crypto News