- Hacker steals over $1 million from Tornado Cash DeFi protocol.
- Attacker gained control through malicious governance proposal with fake votes.
- Tornado Cash risks becoming obsolete without further development and security measures.
As per the most recent updates, an unidentified hacker has taken over the reins of Tornado Cash, a decentralized finance (DeFi) protocol that facilitates transaction anonymity for its users, by exploiting a malevolent governance proposal. It has been reported that the hacker has managed to pilfer more than $1 million in the week they have been in charge of the protocol.
Last week, a hacker maliciously proposed and gained full control of the protocol, allegedly granting 1.2 million votes to their proposal. However, only 70,000 votes were legitimate, as the attacker utilized the emergency-stop function to manipulate the proposal logic and generate fake votes. This breach highlights the importance of implementing robust security measures to safeguard against such attacks.
Surprisingly, the hacker proposed relinquishing complete control to the community, restoring everything to its original state. However, the true motive behind this proposal remains in mystery, leaving many to wonder if the hacker intends to compensate the customers for their losses. Chinese journalist Collin Wu, who shared this development on his Twitter page Wu Blockchain, has shed light on this matter.
Despite the hacker’s attack, the protocol has remained largely unscathed. However, it is worth noting that a substantial portion of the DAO funds now lies within the hacker’s grasp. While the situation is concerning, it is important to remain vigilant and take appropriate measures to safeguard against future threats.
According to Ronghui Gu, the co-founder of CertiK, a blockchain security firm, Tornado Cash risks becoming obsolete if it doesn’t receive further development. Gu also highlighted the growing number of attacks on DAOs, which poses a significant threat to the system’s security. To prevent hostile takeovers, third-party audits are necessary. However, the practicality of auditing every proposal is a challenging and costly process. Therefore, finding a balance between security and cost-effectiveness is crucial.
