The attacker obtains complete access over Tornado Cash governance and can disable the router, remove all locked votes, and drain all tokens from the governance contract.
In a worrying development, a hacker was able to submit a fraudulent proposal and take full control of the administration of the decentralized cryptocurrency mixer Tornado Cash.
The attacker pulled off a successful maneuver on May 20th at 3:25 ET by using a fraudulent proposal to gain 1.2 million votes for themselves. Due of this, the attacker was able to take complete control over Tornado Cash’s governance despite the proposal getting more than 700,000 valid votes.
@samczsun of research-driven technology investment firm Paradigm published the information, revealing that the attacker stated that the malicious proposal followed a similar logic to one that had already been approved by the community when posting it. But this time, the suggestion served a different purpose.
A former Tornado Cash developer is reportedly working on building a new crypto mixing service from scratch, which addresses the “critical flaw” existing in Tornado Cash.
Related: DOJ Pursues DeFi Hackers and Thieves