Popular crypto mixer Tornado Cash lost total control of its governance to an attacker who deployed a malicious contract to access thousands of votes. The incident was first detected by @samczsun, a researcher at web3-focused investment firm Paradigm, over the weekend.

According to samczsun’s tweet, the attacker claimed to have used the same logic as a proposal passed earlier in creating their malicious proposal without disclosing that they added an extra function.

In a more recent development, though, the attacker “posted a new proposal to restore the state of governance,” according to a post on the mixer’s community forum.

TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they’re giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP

— 0xdeadf4ce (@0xdface) May 21, 2023

Attacker Seizes Tornado Cash Governance

Immediately after Tornado Cash voters passed the proposal, the exploiter implemented the emergencyStop function and updated the proposal logic to grant themselves 1.2 million fake votes. The attacker’s votes are more than 700,000 legitimate ones, so they have gained full control of the crypto mixer’s governance.

With complete control, the attacker can do whatever they want, like withdrawing all the locked votes, draining all tokens in the governance contract, and bricking the router. However, they cannot drain individual pools.

“Finally, what can we learn from this? Be careful what you vote for! While we all know that proposal descriptions can lie, proposal logic can lie too! If you’re depending on the verified source code to stay the same, make sure the contract doesn’t have the ability to self-destruct,” samczsun warned.

Over $2.1M TORN Tokens Stolen

Shortly after taking hold of Tornado Cash’s contract, the exploiter drained 473,000 TORN – the mixer’s native token – worth more than $2.1 million from the governance contract, according to a tweet from Web3 media group @WhaleCoinTalk. The bad actor sold the assets on-chain and deposited the profits back into Tornado.

Tornadosaurus-Hex, an active member of the Tornado Cash community, confirmed that the attack had compromised all funds in governance and asked all members to withdraw their assets locked in the contract.

While urging users to extract their funds, Tornadosaurus-Hex has also tried to deploy a contract that could revert the changes.

“A proposed solution for the attack which possibly might be viable is reverting the state changes that the attacker made to the contract, directly. As such, I’ve deployed a contract that should be able to do exactly this… Please check it out and if possible propose. Let’s see if we can get it through, otherwise we’re fucked I would say,” the community member said.

Somewhat expectedly, the project’s native token plummeted after the news surfaced. TORN jumped to $7.3 on May 20 but has lost roughly 40% of its value in the following days and now sits at $4.5.