TL;DR#
On May 13, 2023, Tornado Cash was exploited in a series of transactions causing a loss of over $2.77 million.
Introduction to Tornado Cash#
Tornado Cash is a fully decentralized protocol for private transactions on Ethereum.
Vulnerability Assessment#
The attack was successful because the exploiter was able to create their malicious proposal using a legitimate proposal and use the malicious proposal to grant themselves control over the governance contract.
Steps#
Step 1:
The attacker initially created a legitimate proposal using CREATE2 op-code deterministic deployment, allowing them to deploy a new proposal contract at the same address with malicious parameters.
Step 2:
The attacker waited for the legitimate proposal to pass before calling the self-destruct function, allowing them to clean up the proposal contract after execution.
Step 3:
The exploiter deleted the original proposal and then deployed a new proposal contract with malicious parameters to the same address.
Step 4:
The exploiter then executed the proposal, which assigned them approximately 1.2 million votes, outweighing the 700,000 existing votes in the contract.
Step 5:
The attacker used this control over the governance to drain staked $TORN tokens and sell them immediately.
Step 6:
With this compromise, the attacker has the ability to drain the governance contract of its staked $TORN tokens, drain the treasury, manipulate the Tornado Classic Router contract to re-route deposits and withdrawals to another address, as well as compromise their Nova contracts.
Step 7:
This transaction shows that the attacker drained $25,120 worth of funds from their governance vault, and $38,160 worth of funds in this transaction. As viewed from this transaction, the attacker has drained approximately $2,710,290 worth of $TORN tokens from their governance vault.
Step 8:
The exploiter has also washed away funds worth approximately 372 ETH via the Tornado Cash Router.
Solution#
The attack would have been prevented to a greater extent had there been a system in place that could detect payloads or target implementations that are polymorphic or deterministic, such as the usage of self-destruct opcodes or proxy patterns in the smart contracts. This would have helped the users with some sort of pre-signing notification regarding the transactions that are being executed, effectively halting the malicious intent for the governance takeover.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Tornado Cash had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source mesquka.eth
