Tornado Cash, a fully decentralized and open-source cryptocurrency mixer operating on Ethereum-based networks, has been subjected to a malicious takeover. This comes as another significant blow to the platform following its troubled history with regulatory authorities.
On August 8, 2022, the U.S. Department of the Treasury issued sanctions against Tornado Cash. The platform was accused of routinely enabling money laundering for harmful cyber actors due to its alleged lack of adequate controls. This led to its use being deemed illegal for U.S. citizens, residents, and firms. Subsequently, the project’s website domain and GitHub accounts were suspended, and one of the developers was arrested.
In the current crisis, a bad actor manipulated the project’s governance system by accumulating 1.2 million counterfeit votes, overpowering the 700,000 legitimate votes. The malefactor cunningly disguised their proposal to mimic a previously successful one, but it surreptitiously included a function that enabled the creation of counterfeit votes.
The perpetrator exploited the emergencyStop function, allowing them to modify the proposal logic swiftly and seize control of Tornado Cash’s governance. This authority permits the intruder to withdraw locked votes, drain tokens from the governance contract, and possibly disrupt the router’s functionality. In a swift move to profit from their control, the attacker quickly liquidated 10,000 votes worth of TORN tokens and seems capable of emptying all ETH from the pool.
Despite the community’s urgent advice to participants to withdraw their locked assets and efforts to deploy a contract to reverse the changes, the bad actor continues to maintain governance control. This presents significant challenges to the project’s recovery and future operation.
In an attempt to counteract the damage, Tornado Cash is actively recruiting Solidity developers and planning to engage Binance, an exchange that holds a considerable amount of tokens that could potentially help in countering the attack.
As a privacy-enhancing tool on Ethereum-based networks, Tornado Cash blends potentially identifiable or “tainted” cryptocurrency funds with others, obscuring the original source. The service, therefore, addresses the need for privacy on EVM networks where transactions are by default publicly visible. However, it is this very feature that has also exposed it to regulatory scrutiny and cybersecurity threats.