Tornado Cash Attacker Submits Proposal to Undo the Attack; Community Remains Skeptical

The decentralized cryptocurrency mixer dApp, Tornado Cash, was hijacked in past Saturday, yet now the attacker who did it has submitted a proposal to undo the attack to give the protocol’s governance back to TORN holders. However, many in the community are skeptical about the attacker’s intentions.

According to a post on the Tornado Cash community forum by pseudonymous user Tornadosaurus-Hex, the attacker linked to the Tornado Cash’s governance attack has shown a willingness to reverse the malicious changes that allowed him to steal the voting power of protocol’s native TORN holders.

Tornado Cash Governance Attack

According to Samczsun of research-driven technology investment firm Paradigm, on Saturday, May 20^th, the attacker posted a malicious proposal on Tornado Cash. Through a malicious function, the attacker was able to grant 1.2 million votes to the proposal. The attacker gained total control over Tornado Cash governance because the proposal received more than 700,000 legitimate votes.

As Samczsun explained, the attacker claimed that the proposal used a logic similar to that the community had previously passed. “However, that wasn’t exactly the truth because they added an extra function,” Samczsun added. Instead:

“Once the proposal was passed by voters, the attacker simply used the emergency Stop function to update the proposal logic to grant themselves the fake votes.”

This gave the perpetrator complete control over Tornado Cash, allowing him to withdraw all of the locked votes, drain all of the tokens in the governance contract, and brick the router. According to Wu Blockchain, the Tornado Cash attacker obtained a total of 483,000 TORN from the Tornado Cash governance vault.

The Tornado Cash attacker obtained a total of 483,000 TORN from the Tornado Cash governance vault, and has deposited 6,000 TORN into Bitrue; sold 379,300 TORN on the chain and exchanged it for 375 ETH (about 680,000 U.S. dollars). The price is US$1.8; there are still 97,700 TORNs…

— Wu Blockchain (@WuBlockchain) May 21, 2023

Per the user Tornadosaurus-Hex, the attacker is ready to undo the attack. “I think that there is a good chance he’s going to execute it,” he added. The proposal has now been the subject of voting until May 26^th. If passed, the malicious code integrated into the protocol will be removed, and Tornado Cash’s governance will go back to token holders. But many in the community do not agree that it’s a benevolent plan.

As a result, TORN was up as much as 10% before settling back down to nearly 6% in the last 24 hours. Therefore, many in TORN community believe that the attacker is trying to pump the price before selling the tokens.

A community member, 0xdeadf4ce, pointed out that this might all be a “gigatroll” to depress the token’s price to increase their holdings at a discount.

TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they're giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP

— 0xdeadf4ce (@0xdface) May 21, 2023

He wrote:

“This might just be an attempt to spark confidence and pump the price as others have rightfully noted. Don’t gamble on a recovery for your own sanity.”

The proposal has received 517K votes in favor as of his tweet. The final decision regarding the proposal will be announced after the closing of voting on Friday, May 26^th.