What Is Tornado Cash? Attacker Issues Proposal To Reverse Malicious Changes On Governance

An unidentified attacker, who took control of the Tornado Cash token (TORN), has reportedly submitted a proposal to reverse the malicious changes.

Tornadosaurus-Hex, a member of the Tornado Cash community, posted in the forum Sunday that the attacker issued a "new proposal to restore the state of governance."

Considering the TORN governance tokens held by the attacker, it is likely the proposal will be passed when voting closes on May 26.

"I think that there is a good chance he's going to execute it," the user added, as per Crypto Slate.

Tornado Cash is a decentralized, non-custodial privacy platform built on the Ethereum blockchain-based zero-knowledge proofs. It has been active even after the U.S. Treasury imposed sanctions on the project in August 2022 for laundering the proceeds of cybercrimes. Currently, it is completely owned by its community, making it a fully decentralized protocol.

Tornado Cash uses TORN as its native currency, which is an ERC-20 token with a maximum supply of 10 billion coins. It allows holders to participate in proposals and vote for protocol changes.

Once the recent proposal is passed, the attacker will remove the malicious code integrated into the system, which allowed them to steal the voting power from others, to return the governance of Tornado Cash's DAO (decentralized autonomous organization) back to token holders, CoinDesk reported. However, it remains unclear when the action will be executed.

Amid this development, TORN went up by 10% Saturday, as per CoinGecko data.

Meanwhile, other members of the Tornado Cash community have warned that the way the project's default governance will be restored could manipulate the price of the TORN token.

TORN community active member 0xdeadf4ce said on Twitter that either the attacker was "giga trolling" or it might be an expensive lesson in "governance security."

TORN went down from $6.08 to $3.57 within hours of the attack, marking a significant decline of over 40%.

Meanwhile, the Tornado Cash community has raised some new proposals, seeking to revert the changes made to the code. One community member raised concerns after the attacker mischievously minted more than 1 million TORN, worth over $4 million at current prices, for themselves.

"We don't even have a choice in regards to this proposal, but it is still important nonetheless," Tornadosaurus-Hex said.

The attacker took control over the DAO funds and handling operations of the privacy-focused crypto mixer on May 20 by floating a malicious proposal into the project that granted them sole control over the token's governance.

Paradigm researcher Samczun explained what it means for Tornado Cash. After taking governance control, the attacker can "withdraw all of the locked votes," "drain all of the tokens in the governance contract," and "brick the router." But the attacker still cannot "drain individual pools," Samczun added.

"Well, when the attacker created their malicious proposal, they claimed to have used the same logic as an earlier proposal which had passed. However, that wasn't exactly the truth, because they added an extra function," the user said in a tweet, explaining how the attack happened.

"Now that they have all the votes, they can do whatever they want. In this case, they simply withdrew 10,000 votes as TORN and sold it all," Samczun added.