- An anonymous attacker seized control of the Tornado Cash protocol, by exploiting a malicious proposal.
- Reportedly, he stole more than $1 million from the DAO’s funds.
- The attacker has proposed to revert everything, giving control back to the community.
According to the latest reports, an anonymous hacker has seized control of the decentralized finance (DeFi) protocol, which helps customers conceal transactions, Tornado Cash, by exploiting a malicious governance proposal. Reportedly, the hacker has stolen over $1 million during the week he has control over the protocol.
The previous week, the hacker gained complete control of the protocol, through a malevolent proposal; the attacker allegedly granted 1.2 million votes to the proposal. Though only 70,000 votes were legitimate, “the attacker simply used the emergency-stop function to update the proposal logic to grant themselves the fake votes”.
Currently, surprising the community, the hacker has put forward a proposal to give the community complete control back, reverting everything to its original state. However, the intention behind the proposal is unclear; it’s still not clear whether the hacker would reimburse the losses of the customers. The Chinese reporter Collin Wu, via his Twitter page Wu Blockchain, shared the matter:
The hacker’s attack hasn’t caused any major damage to the protocol though most of the DAO funds are under his control. A significant portion of the DAO fund is already acquired by the hacker.
Ronghui Gu, the co-founder of blockchain security firm CertiK commented that Tornado Cash would soon fall into disrepair, without further development. Gu further pointed out that the increasing number of attacks on DAOs poses a threat to the security of the system, necessitating third-party audits to prevent hostile acquisitions. However, while analyzing the practical side of third-party auditing, it would be a difficult procedure to audit every proposal; it would also be very expensive.