Tornado Cash DAO faces ‘malicious’ governance attack, researchers warn

Researchers at L2BEAT have flagged a suspicious governance proposal submitted to the Tornado Cash DAO.

It raised eyebrows for pointing to an unverified contract, something “very unusual for Tornado Cash DAO proposals… [and] a clear indication that the proposal should be treated as malicious.”

Adding to suspicions, the address of the proposer was funded by Railgun (a competing crypto privacy protocol) just four days ago.

Sergey Shemyakov, a ZK researcher, took to X to “summon” others to examine the proposal, which “shows pretty convoluted logic.”

The proposal purports to define a new fee structure and “establish a brand-new dynamic deflationary economic model.”

However, Security Alliance researcher Pascal Caversaccio alleged the “malicious” intentions behind the proposal, stating that the real intention is to switch key addresses with spoofed lookalikes.

The current DAO governance address, which holds $23 million of TORN tokens, would be replaced by an attacker-controlled address which shares the same initial 15 characters.

A similar switch would be made on the staking governance proxy contract.

Caversaccio also notes that the spoofed governance address would be able to “zero out any relayers balance at will.” He called the proposal a “governance attack on Tornado Cash” and urged TORN holders to reject it.

All TORN up

Todays governance attack is the latest in a long series of governance, legal and security troubles for Tornado Cash.

Tornado Cash last faced a governance attack in 2023 when a malicious proposal passed, granting an attacker a majority share of votes.

On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.

After selling around $800,000 of TORN tokens for ETH, the attacker created a new proposal to set its voting power back to zero. Not before washing the proceeds through none other than Tornado Cash itself, though.

The following year, multiple Tornado Cash IPFS front ends were injected with malicious javascript to leak sensitive deposit information to an attacker-controlled server. Even a hacker allegedly fell victim to the trap.

In the legal sphere, Tornado Cash was sanctioned by the US Treasury in 2022, though the decision was eventually reversed last year.

Despite no longer being banned, Tornado Cash developer Roman Storm was prosecuted for conspiracy to operate an unlicensed money-transmitting business last year, following a rocky trial.

Storms fate continues to hang in the balance. In April, a motion for acquittal was left unresolved and prosecutors are keen to retry two counts on which the jury remained deadlocked at the end of his trial.