The DAO handling operations, funds and future plans of privacy-focused crypto mixer Tornado Cash was effectively taken over by an unidentified attacker, or group of attackers, on Saturday.
DAOs, short for decentralized autonomous organizations, allow token holders to lock up their holdings as votes for proposing changes to a project. These changes can range from deploying treasury funds to purposes that benefit the project to expansion on other networks.
At the start of the weekend, the attacker floated a malicious proposal that hid a code function that granted them fake votes that can now be used to handle some aspects of Tornado Cash, such as torn (TORN) tokens held in the main governance contract or withdrawal of locked torn tokens.
This was done by putting forth a proposal that imitated an earlier version – except with some malicious code that allowed for the update of logic that gave the attacker access to all governance votes.
“Now that they have all the votes, they can do whatever they want,” security research @samczsun tweeted on Sunday. “In this case, they simply withdrew 10,000 votes as TORN and sold it all.”
As such, this attack does not impact the actual Tornado Cash protocol – which allows users to pass funds through the service to mask or obscure the movements of funds and crypto addresses. This attack was not an exploit of any smart contracts or technology related to the working of Tornado Cash.
Meanwhile, the Tornado Cash community has put up newer proposals that seek to revert changes made to the code. One community member observed that the attacker had maliciously minted over 1 million torn for themselves, worth over $4 million at current prices.
Others suggested making a new contract altogether and airdropping new tokens to holders.
Torn prices slumped as much as 40% in the past 24 hours as a result of the governance attack, data shows.