An attacker was able to take complete control of the governance of the decentralized cryptocurrency mixer Tornado Cash with a malicious proposal.
A fraudulent proposal received 1.2 million votes from an attacker on May 20 at 3:25 ET. The proposition garnered more than 700,000 valid votes, giving the attacker complete authority over Tornado Cash governance.
The information was provided by @samczsun of research-driven technology investment company Paradigm, who stated that the attacker claimed, while sharing the malicious proposal, that it followed a similar logic to a proposal that had already been approved by the community. However, the proposal had another function this time.
The attacker has complete access over Tornado Cash governance and can disable the router, remove all locked votes, and drain all tokens from the governance contract. The attacker “simply withdrew 10,000 votes as TORN and sold it all,” according to @samczsun, at the time of writing.