Every now and again, it’s fun to glance at the latest screwups. Well, it’s fun because I don’t have any stake in these projects. Probably not so fun for average Nakamotoans, who have zillions at risk.
This month we learn of an outstanding innovation hack of Tornado Cash. This is a system specifically designed to obfuscate the transfers of tokens, to defeat “censorship”. Tornado Cash is famous for being sanctioned by the US for violating US export controls, and its developers have the unfortunate distinction of actually being prosecuted for creating the software. (Aiding the development of WMDs is taken very, very seriously in some quarters.)
Tornado continues to break new ground. This month Tornado’s governance system was taken over by hackers [1]. Ooops.
The system is operated by a decentralized autonomous organization (DAO), which manages proposals and voting, i.e., governance. As with many of these algorithmic governance schemes, people buy voting shares, paying other tokens into a pool in exchange for governance tokens. The results of votes determines when new or modified Ethereum “smart” contracts are approved. It’s all highly automated and pretty well obfuscated, by design.
Apparently, the hack managed to accumulate enough tokens to vote in a modification that—and this is a good one, for sure—gave the hackers control of all the votes! Naturally, this is difficult to undo, because the hackers can just vote down any patch.
This hack doesn’t directly affect transactions or the mixing operations that hide user’s funds. It just cripples the ability to maintain and change the software.
The other thing it does is let the hackers convert their governance tokens back into other assets (e.g., Ethereum or Bitcoin)—which they did, sucking out stored assets held by the DAO. Furthermore, they minted a million new tokens (i.e., votes), which they can use to control the decision making and / or cash in for other assets.
This latter part is a side-effect of the way DAOs do “democracy”, in which “buying votes” isn’t a metaphor, it is simply the way voting works.
If I was using Tornado Cash, I’d be pretty freaked out by such a breach. But overall, Nakamotoans seem to be taking this rather calmly. I guess it’s like, “They only control the steering wheel. The accelerator and brake still work, so everything will be fine.”
But, wait!
The hackers have put into process a change that will undo the hack [2]!
And since the hackers control the voting, there is a good chance that it will be approved and implemented!
What??? Huh?
Now I’m really confused. Was this all just a stunt? Did they do something we don’t know about while they had control? Did someone make a mint trading these tokens? Did they set up some hack or big jackpot in the future?
And, of course, one kind of wonders whether the “undo” is enough to make Tornado trustworthy? Is the hack going to happen again? Is the “undo” really restoring the previous state, or is it leaving behind a coocoo’s egg?
I have no clue who might have done this hack. Assuming this is not just joyriders having some fun, one wonders whether someone wants to further interfere with the money laundering, tax evasion, and sanctions busting that are Tornado Cash’s primary purposes. There are any number of someone’s who might be so motivated.
This may become and interesting real world experiment. Will the “legitimate” users really be able to retake control of the DAO? Will they be able disable the DAO, and create a new one if needed? If not, how will Tornado Cash operate with a very untrusted governance system? Can it keep going? Or will it become so crazy that even Nakamotoans won’t use it?
Any way you slice it, Tornado Cash is surely in the running for recognition by the CyptoTulip of the Year committee!
- Shaurya Malwa (2023) Attacker Takes Over Tornado Cash DAO With Vote Fraud, Token Slumps 40%. Coindesk, https://www.coindesk.com/tech/2023/05/21/attacker-takes-over-tornado-cash-dao-with-vote-fraud-token-slumps-40/
- Sam Reynolds (2023) Tornado Cash’s TORN Token Up 10% as Attacker Submits Proposal to Undo Attack. Coindesk, https://www.coindesk.com/markets/2023/05/22/tornado-cashs-torn-token-up-10-as-attacker-submits-proposal-to-undo-attack/
Cryptocurrency Thursday