On May 21, Tornadosaurus-Hex, a member of the Tornado Cash community, shared the news with users of the Tornado forum that the crypto mixer attacker is planning to restore governance. TORN rose to $4.75 and traded at $4.48 at press time. This significant growth happened after the price dropped from around $6.70 to $3.90 due to the attack. This fact gave second thoughts to cautious crypto users who believe that the attacker's true intentions are to restore the price of TORN to gain more from the exploit.
"The attacker posted a new proposal to restore the state of governance. I think that there is a good chance he’s going to execute it," wrote Tornadosaurus-Hex, who added that it looks like the hacker, who "gave himself in the malicious proposal 1,200,000 TORN, as lockedBalance-s" is resetting the changes to zero.
Read also: Dutch police arrested alleged Tornado Cash developer
Tornadosaurus-Hex added, "If the proposal goes through (and it isn’t malicious) governance should be aware that they have to kill every single proposal which includes some type of SELFDESTRUCT call. This is until I or someone else pushes a proposal to update the governance contract. I already have the fixing logic ready, but I need to verify the storage layouts so that a proxy upgrade doesn’t break the contract."
As per Tornadosaurus-Hex, the proposal is important, but the community has no choice anyway. The voting is scheduled to close on May 26.
Now Twitter users are speculating what could be the reason behind the new exploiter’s move. Many believe that this is an attempt to pump the price of the token before it is dumped, while others assume that the hacker could also use Tornado Cash to mix the cryptocurrency if it is even possible since the use of the crypto mixer is now illegal in the US.
According to the Twitter thread posted by crypto-space influencer Samczsun, the attack happened on May 20 at 07:25:11 UTC, when "Tornado Cash governance effectively ceased to exist." The hacker managed to obtain 1,200,000 votes, which gave him full control to "withdraw all of the locked votes, drain all of the tokens in the governance contract, and brick the router." However, the attacker still cannot empty individual pools.
Samczsun explained that the hacker used slightly modified logic based on an earlier successful proposal that made it easier for the new proposal to pass through voters. Due to a special "emergencyStop function," the attacker was able to obtain fake votes.
As per Samczsun, despite the great power the hacker gained from the attack, they have so far only pulled 10,000 votes as TORN to sell.
The Twitter influencer warned the community to be extra vigilant when voting, saying, "While we all know that proposal descriptions can lie, proposal logic can lie too! If you're depending on the verified source code to stay the same, make sure the contract doesn't have the ability to self-destruct."
After this attack, many Twitter users expressed concern about the trustworthiness of DAOs in general. "Couldn't the attacker have bought enough TORN tokens just to pass the malicious proposal before granting themselves 1,200,000 votes? In my opinion, the 'what can we learn from this?' is really not to trust anonymous DAOs where an anon person/group can pass whatever proposals they like," user Cyrus Haghighi wrote while user Agyrrhius noted that "DAOs will always be weak because there is a financial incentive to exploit them, and regular holders/voters are too busy with their lives to govern."
Read also: Tether won’t freeze Tornado Cash addresses unless ordered by govt
Tornado Cash has been sanctioned in the USA since August 8, 2022. According to the US Department of Treasury, the platform has been used to "launder more than $7 billion worth of virtual currency since its creation in 2019. This includes over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the US in 2019, in the largest known virtual currency heist to date."
Furthermore, according to the Department, "Tornado Cash was subsequently used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022, Harmony Bridge Heist, and at least $7.8 million from the August 2, 2022, Nomad Heist."