The Tornado Cash community has made a new proposal to fix the recently exploited security vulnerability

One of the members of the Tornado Cash community has launched a new proposal to fix the critical vulnerability exploited by the hacker responsible for the May 20 attack.

A person surrounded by a wind carrying coins
Tornado Cash exploiter uses the attacked crypto mixer to mask the loot

Yesterday, Theo, a member of the Tornado Cash community, introduced a new proposal to patch the cryptocurrency mixer’s governance and rebuild its infrastructure after the May 20 hack that allowed the attacker to gain control of the sanctioned cryptocurrency mixer by obtaining 1,200,000 votes.

Read also: Tornado Cash hacker may manipulate TORN price by proposing attack reversal

"This proposal seeks to patch the vulnerability which allowed the recent exploit to occur and also rebuilds infrastructure which was incapacitated by it," Theo’s post on Tornado Cash’s community forum reads.

The proposal came shortly after the end of voting on Proposal 21, which had been put forward by the attacker. This hacker’s proposal to reset the illegally obtained share of governance funds to zero and restore governance to its normal state came unexpectedly after the hack and was supported unanimously on May 26.

The current rules on the Tornado Cash Voting webpage state, "A proposal’s voting period lasts five days. The proposal is passed only if the majority vote and the quorum of 25,000 voters is reached," meaning that the total number of "for" and "against" votes must exceed 25,000 for a proposal to pass.

In the case of Proposal 21, there was not a single "against" vote, while the total number of TORN tokens used for voting was 517,000 coins. Most likely, the outcome was determined by the attacker's dominance in the voting.

Read also: Crypto exchange Deribit suffers $28m hack, halts withdrawals

Theo provides the GovernancePatchUpgrade to perform additional checks which are supposed to prevent attacks based on the code containing the SELFDESTRUCT keyword, similar to the code used for the recent Tornado Cash exploit.

"The above upgrade is designed such, that it allows regular execution of all pre- and post-conditions, and respectively introduces extra stores and checks at the appropriate locations. The resistance against metamorphic contract attacks is proven by forked tests using the on-chain permissionless MetamorphicContractFactory."

While Theo believes this solution may make it much harder for attackers to exploit the vulnerability, the author of the proposal warns the Tornado Cash community that the introduction of the solution "does not mean governance can not vote for a malicious proposal in the future."

Read also: Osmosis DEX exploited for $5m due to a critical bug

Theo emphasized that an even more important improvement will be the registration of three new contracts deployed at the addresses listed in the proposal. "These contracts are minimally modified versions of the original contracts," Theo says, explaining that these changes are significant for eliminating the exploited vulnerability.

According to the author of the proposal, the TornadoStakingRewards proxy, RelayerRegistry, and TornadoStakingReawards need to be re-implemented due to incorrect states and dependencies. To compensate for the rewards lost due to the exploit, Theo also wants 94,092 TORN to be moved from the Governance contract to the TornadoStakingRewards AdminUpgradeableProxy contract, also called the Staking Contract.

Read also: The Tornado Cash developer may get a chance to clear his name

"This proposal purposely does not include further actions, because we want to proposals as atomized as possible and fix the necessities," Theo says, expressing hope that these changes will help "restore the trust of the community in the security of contracts."

"We also state that we have learned any lessons to be learned, including the necessity of full rigor in contract auditing and non-delegation of this work to anyone but ourselves since no one can be counted on," Theo said.

Meanwhile, the Twitter account CertiK Alert belonging to blockchain analytics firm CertiK has already discovered a new transaction of 30 ETH that allegedly originated from a wallet related to phishing activities.

Furthermore, today, PeckShiled's team reported the transfer of 3,345 BNB lost to the May 2 exploit of Level Finance, a non-custodial exchange operated on the BNB Chain.

Tornado Cash is still widely used for money laundering

Facilitating money laundering was the main reason the US authorities sanctioned Tornado Cash on August 8, 2022. The US Department of Treasure is convinced that Tornado Cash was used by hackers to "launder more than $7 billion worth of virtual currency since its creation in 2019," which includes "over $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group that was sanctioned by the US in 2019, in the largest known virtual currency heist to date." The Department also believes Tornado Cash is responsible for laundering the funds stolen during the Harmony Bridge Heist and the Nomad Heist, which together exceeded $100 million.

Ironically, the funds stolen from Tornado Cash have now been laundered with the help of this cryptocurrency mixer too. Martin Lee of Web3 analytics firm Nansen reported in a May 22 tweet that the crypto mixer attacker "swaps a large portion of the 483,000 TORN, which it exploited, to ETH mostly using 1inch, and then sends 360 ETH to Tornado Cash."

Although the hacker was serious about reversing the attack, the fate of the stolen funds is still unknown. Web3 developer with a Twitter nickname MeTony claims the attacker offered to return the loot in a new proposal, referring to the May 26 article posted by Fortune Crypto, however, the list of proposals on the Tornado Cash voting page has got only Proposal 22 from Theo mentioned above since the introduction of Proposal 21 by the hacker to reverse the governance of the platform.

Meanwhile, some Twitter reports posted today claim that Binance now allows again for TORN deposits that were halted after the attack.