Full control over Tornado Cash management allows an attacker to cancel all blocked votes, erase all control tokens, and disable routers.
In the current problems of the decentralized crypto mixer Tornado Cash, added another: on the night of May 20, an attacker took full control with the help of a malicious plan, successfully transferring 1, 2 million votes.
This post was shared by @samczsun of investment firm Paradigm. According to him, the hacker said that the malicious plan uses a similar logic to the previously accepted plan. However, this time he had another job.
“Once the plan is approved by the community, the attacker uses the emergency stop function to update the logic of the plan to give himself a fake vote.”
Full control over Tornado Cash management allows an attacker to cancel all blocked votes, remove all tokens from control contracts, and block routers. At the time of the tweet, the attacker “withdrew only 10,000 votes in the form of TORN tokens and sold them all,” the researcher wrote.
The protocol team tried to come up with an agreement that could fix the changes and encourage people to withdraw their money.
He is now looking to Solidity developers to help prevent Blender from crashing. Tornado Cash also said that they should contact Binance because there are more TORN tokens in the balance of the exchange than the attacker has.