Cyber Attackers Seize Control of Sanctioned Crypto Mixer Tornado Cash

Tornado Cash, a fully decentralized and open-source cryptocurrency mixer operating on Ethereum-based networks, has been subjected to a malicious takeover. This comes as another significant blow to the platform following its troubled history with regulatory authorities.

On August 8, 2022, the U.S. Department of the Treasury issued sanctions against Tornado Cash. The platform was accused of routinely enabling money laundering for harmful cyber actors due to its alleged lack of adequate controls. This led to its use being deemed illegal for U.S. citizens, residents, and firms. Subsequently, the project’s website domain and GitHub accounts were suspended, and one of the developers was arrested.

In the current crisis, a bad actor manipulated the project’s governance system by accumulating 1.2 million counterfeit votes, overpowering the 700,000 legitimate votes. The malefactor cunningly disguised their proposal to mimic a previously successful one, but it surreptitiously included a function that enabled the creation of counterfeit votes.

The perpetrator exploited the emergencyStop function, allowing them to modify the proposal logic swiftly and seize control of Tornado Cash’s governance. This authority permits the intruder to withdraw locked votes, drain tokens from the governance contract, and possibly disrupt the router’s functionality. In a swift move to profit from their control, the attacker quickly liquidated 10,000 votes worth of TORN tokens and seems capable of emptying all ETH from the pool.

Despite the community’s urgent advice to participants to withdraw their locked assets and efforts to deploy a contract to reverse the changes, the bad actor continues to maintain governance control. This presents significant challenges to the project’s recovery and future operation.

In an attempt to counteract the damage, Tornado Cash is actively recruiting Solidity developers and planning to engage Binance, an exchange that holds a considerable amount of tokens that could potentially help in countering the attack.

As a privacy-enhancing tool on Ethereum-based networks, Tornado Cash blends potentially identifiable or “tainted” cryptocurrency funds with others, obscuring the original source. The service, therefore, addresses the need for privacy on EVM networks where transactions are by default publicly visible. However, it is this very feature that has also exposed it to regulatory scrutiny and cybersecurity threats.


Tagged : / /

TORN soars 200% as Tornado.Cash’s governance token becomes tradable

The decentralized finance (DeFi) “stimulus checks” keep coming as Tornado.Cash joins Uniswap, Badger DAO, StakeDAO, and others in “airdropping” a now-tradable TORN governance token to early protocol participants.

Tornado Cash, which is an Ethereum “tumbling” service that obscures transactional history in order to preserve user privacy (as well as allow scammers and hackers a method to launder their funds), first announced the launch of a governance token in December. A snapshot for the airdrop was taken for Ethereum block 11400000, which was mined on December 6th, and addresses which had interacted with the protocol prior to that point were entitled to an amount of TORN tokens weighted to the frequency and amount of Ether they used.

At current valuations, the distribution was one of the most lucrative for recipients to date. According to a post on community forums, the average recipient received 66.54 TORN tokens currently worth over $23,000, and the median user took in 21.24 tokens, worth $7500. The single largest recipient harvested over 2500 tokens worth a whopping $888,000.

The 500,000 airdropped tokens represent just 5% of the eventual 10,000,000 total TORN supply. The token had been locked as non-transferrable for 45 days, but that was released yesterday, and an additional 10% of the total supply is set aside for a “anonymity mining” program similar to liquidity mining.

Trading for the young token has been notably volatile. A liquidity pool on exchange aggregator and automated market maker (AMM) 1inch was established shortly after the token was unlocked, and TORN has a 24-hour high and low of $428 and $113, per Coingecko. At the time of writing the token currently trades at $350, and a pool has also been established on Uniswap.

Despite the airdrop bonanza, however, some have expressed skepticism that Tornado.Cash needs a governance token at all. The protocol currently works as intended, and the team transitioned the contracts to a state of immutability last year.

Additionally, in the governance announcement blog post the team did not specify what the DAO treasury or team reserves — a combined total of 8,500,000 TORN tokens locked in a 3-5 year vesting schedule currently worth $3 billion — will be used for, only that through a DAO “the users of Ethereum will control their own privacy protocol.”

In a Tweet from last year, Ethereum co-founder Vitalik Buterin seemed to echo this sentiment, saying that Tornado.Cash functions best as a “tool” rather than as an “ecosystem.”

Nonetheless, as asset valuations inflate across DeFi, this perhaps superfluous token drop likely won’t be the last.