05-21-2023 icon

Tornado Cash DAO Attacked Using Fake Votes

By Lucy Adegbe
Tornado cash dao

An attacker has taken control of the Tornado Cash DAO, the decentralized autonomous organization that handles operations, funds, and future plans for the privacy-focused crypto mixer.

The attacker floated a malicious proposal that granted them fake votes to handle some aspects of Tornado Cash, such as torn tokens held in the main governance contract or withdrawal of locked torn tokens. The attack does not impact the actual Tornado Cash protocol but has caused Torn prices to slump by 40%.

The attacker’s proposal was approved by a majority of voters, who were likely tricked by the malicious code. The attacker has since withdrawn over $1 million worth of Torn tokens from the main governance contract.

The Tornado Cash team has since taken steps to mitigate the damage, including disabling the malicious proposal and refunding the stolen Torn tokens. However, the attack has raised concerns about the security of decentralized autonomous organizations.

This is not the first time that a DAO has been attacked. In 2021, an attacker stole over $600 million worth of cryptocurrency from the Poly Network DAO. The attack highlighted the need for better security measures for DAOs.

The Tornado Cash attack is a reminder that even the most secure DAOs are not immune to attack. Users should be aware of the risks involved in participating in DAOs and take steps to protect their assets.

How to prevent future attacks?

There are a number of things that can be done to prevent future attacks on DAOs, including:

  • Improving security measures: DAOs should implement security measures such as multi-signature wallets and timelocks to make it more difficult for attackers to steal funds.
  • Educating users: Users should be educated about the risks involved in participating in DAOs and how to protect their assets.
  • Increasing transparency: DAOs should be more transparent about their operations and finances so that users can better assess the risks involved.