An unidentified attacker was recently able to assume control of the Tornado Cash decentralized autonomous organization (DAO) governance after tricking users into approving a seemingly benign proposal that actually contained malicious code.
A DAO’s governance is achieved by users ‘locking up’ the protocol’s tokens in exchange for the right to vote on upgrades, fixes, and other proposed changes. The Tornado Cash attacker’s malicious code allowed them to authorize an additional 1.2 million voting rights— around half a million more than the total legitimate voting rights—allowing the attacker to dictate any protocol changes they desired.
Predictably, the attacker quickly swapped over 400,000 TORN governance tokens for around 430 ETH—Tornado Cash is built on the Ethereum blockchain—worth over US$750,000 and ran most of this ETH through the mixing service.
Coin mixers like Tornado Cash are popular with criminals because it allows users to ‘wash’ tokens by slicing, dicing, and mixing them with others of their kind, spitting them out the other side with a less obviously illicit provenance.
TORN’s value fell by nearly half on Sunday as the reality of the situation dawned on users. Some exchanges like Binance temporarily froze deposits of TORN, allowing the price to stabilize somewhat, but it’s still sitting well below the value it’s traded at most of this year.
The price may have also established some kind of floor due to a surprise offer by the attacker to restore governance to its previous state by eliminating the improperly minted TORN tokens. Not everyone is convinced of the attacker’s sincerity, with some suspecting it might be a ruse to temporarily preserve TORN’s value to maximize returns from additional withdrawals.
Regardless, legit governance holders basically don’t have a say in the matter. They can either agree with the attacker’s latest proposal or pound sand. This farce once again exposes the foolishness of the ‘code is law’ mantra that’s so popular with many ‘crypto’ maximalists.
It bears mentioning that the attacker’s plan could never have succeeded without the TORN community’s unforgivable lack of due diligence on the malicious proposal. One would have assumed that, with the value of their tokens on the line, they’d have taken more time to peruse the proposed code than one usually takes to click ‘agree’ on an Apple (NASDAQ: AAPL) system software upgrade.
An ill wind that blows no good
This is the latest black eye for Tornado Cash, which has a reputation as the first stop for those who’ve obtained tokens through illicit means. While there may be legitimate reasons to want to obfuscate a token’s digital trail, the service was seriously popular among DeFi hackers, including North Korea’s notorious Lazarus Group and the country’s nuclear weapons program.
Last August, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash for failing to impose adequate controls to prevent money laundering. OFAC also blacklisted Ethereum addresses that received Tornado Cash output, a move that many users claimed could result in malicious targeting of addresses unaffiliated with any criminality.
That same month, Dutch authorities arrested Tornado Cash protocol developer Alexey Pertsev, who allegedly had ties to Russian intelligence services. Pertsev secured his release from custody last month and is awaiting trial in the Netherlands on charges of facilitating money laundering.
Other coin mixers have been similarly targeted by global authorities determined to rein in crypto’s flagrant flouting of financial norms. U.S. authorities are also looking to plug the holes in their efforts to impose economic sanctions on Russia for its invasion of Ukraine.
It remains unclear how this Tornado Cash escapade will conclude or if there might be a few cries from the fleeced for recompense. Tornado Cash’s dubious reputation makes it unlikely that the authorities might expend any effort helping to identify its attacker or retrieve the stolen goods. And even if they did, would the rest of the DAO’s hardcore governance community approve of such assistance?
Had this attack occurred on the BSV blockchain, there would be real options for digital asset recovery. BSV is leading the charge to bring the globally recognized tenets of real-world property law to the digital asset sector.
On BSV, if a digital asset is stolen or access is lost by accident or through careless storage habits, the impacted user can publicly demonstrate proof of ownership. Assuming that evidentiary bar is cleared, the user can secure a court order or its legal equivalent and present the same to the miners in charge of maintaining transaction consensus on the blockchain.
The miners would then freeze and move the assets in question to their rightful owners at the tip of the chain. Other blockchain users would be able to audit the full history of these transactions and assets, verify that they are indeed the original user’s property, and that transactions involving these assets are valid.
While token recovery is possible on blockchains other than BSV, the outlook for adoption remains decidedly iffy. Just last week, Ledger introduced an opt-in seed phrase recovery program for users of its Nano X hardware wallet, and the response was, er…well, if you’ve seen the original Frankenstein, just imagine Ledger CEO Pascal Gauthier at the top of the windmill and crypto maximalists as the villagers lighting the joint on fire.
More open-minded individuals looking to learn more about digital asset recovery and other value-added BSV initiatives should check out the London Blockchain Conference, which gets underway at the QE II Centre on May 31. When BSV gets through improving this space, it will look like a tornado blew through it. (Sorry, too soon?)
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.