$59 000 USD

MAY 2023




TornadoCash is "[a] fully decentralized protocol for private transactions on Ethereum." and "in the crypto-space."


As a decentralized protocol, Tornado.Cash smart contracts have been implemented within the Ethereum blockchain, making them immutable. They can neither be changed nor tampered with. Therefore, nobody - including the original developers - can modify or shut them down. All governance and mining smart contracts are deployed by the community in a decentralized manner.


As a non-custodial protocol, users keep custody of their cryptocurrencies while operating Tornado.Cash. This means that at each deposit, they are provided with the private key enabling the access to the deposited funds, which gives users complete control over their assets."


"Tornado Cash improves transaction privacy by breaking the on-chain link between source and destination addresses. It uses a smart contract that accepts ETH & other tokens deposits from one address and enables their withdrawal from a different address."


"Since its inception in 2019, Tornado Cash has been operating on the Ethereum blockchain. The protocol has been offering diversified fixed amount pools for six tokens (ETH, DAI, cDAI, USDC, USDT & WBTC) handled by the Ethereum blockchain.


Since June 2021, in addition to the Ethereum blockchain, Tornado Cash smart contracts have also been deployed on other side-chains & blockchains. These deployments enabled the tool to either support new tokens or benefit from Layer-2 advantages, such as faster and cheaper transactions."


"In a whirlwind of events, Tornado Cash's governance has been taken hostage via a trojan horse proposal, effectively granting control of the DAO to a single address."


"On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control."


"when the attacker created their malicious proposal, they claimed to have used the same logic as an earlier proposal which had passed. However, that wasn't exactly the truth, because they added an extra function"


"Once the proposal was passed by voters, the attacker simply used the emergencyStop function to update the proposal logic to grant themselves the fake votes"


"a proposal contract can be updated through a well-designed trick -- create and create2."


"2/ The attack is a sophisticatedly designed one. 1) The attacker used the name emergencyStop to hide the intent; 2) the attacker used a trick of combining CREATE/CREATE2 to create a contract with the same address with different bytecode."


"Proposal Contract was deployed via CREATE. The address for such contracts is derived by hashing deployer address and deployer nonce.


Note: Smart contracts start with nonce = 1


So, Proposal addr: 0xc50 = hash(0x7dc, 1)"


"After governance approved this Proposal Contract, the attacker called its emergencyStop function (which they added maliciously).


This resulted in the contract calling selfdestruct


Then the Deployer contract was self-destructed as well! (re-setting its nonce to 0)"


"The attacker used CREATE2 to deploy the exact same deployer bytecode.


Because of the same bytecode, the contract was deployed at the same address as before: 0x7dc


The nonce then became 1 (as address now had smart contract code)"


"The attacker then called "create(bytes)" function on the Deployer contract, but this time passing a completely new bytecode for their Malicious contract


As the nonce & deployer address were same as before, this resulted in the Malicious contract at the same address as Proposal"


"While the contracts do not allow for draining of the ~$275M in the privacy pools themselves, the exploiter gained control of the TORN governance token, the power to modify the router to reroute deposits/withdrawals, and admin status over Nova, the Gnosis chain deployment."


"Through governance control, the attacker can: - withdraw all of the locked votes - drain all of the tokens in the governance contract - brick the router


However, the attacker still can't: - drain individual pools"


"In this case, they simply withdrew 10,000 votes as TORN and sold it all"


"However, it seems not all is lost.


Yesterday, just before midday UTC, the exploiter published another proposal to revert the changes.


As long as there are no nasty surprises this time, this could be a bullet dodged for the Tornado Cash community."

TornadoCash fell victim to a malicious governance proposal, putting control of various aspects of the smart contract in the hands of a single address. This was accomplished through a clever "bait and switch" with a smart contract that delegated calls to another. The original smart contract was self destructed and a new smart contract was deployed to the same address. The financial damage seems minimal, and there is reports that the attacker may be reverting the damage and relinquishing control.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.