Tornado Cash DAO Faces Suspicious Governance Proposal, Researchers Warn of Possible Attack Targeting $23 Million Treasury

BlockBeats News, June 26th - Blockchain security researcher Sergey Shemyakov issued a warning on June 25th, alerting that a highly suspicious governance proposal had been submitted to the Tornado Cash DAO approximately 8 hours prior, calling for an independent community review.

The proposal exhibited multiple abnormal signals. Firstly, the proposal contract code was not verified, which is extremely rare in the history of Tornado Cash DAO proposals. Researchers believe that this alone constitutes a clear indicator of a malicious proposal. Secondly, the address of the proposal creator received funds through the privacy protocol Railgun 4 days ago, with the source obfuscated, displaying highly suspicious behavior. Thirdly, the proposal description was seemingly wrapped in misleading packaging, but the core issue lies in its target contract. Once the proposal is passed and executed, the governance contract will call the target contract's function via delegatecall, indicating that the attacker could obtain very high permissions through this.

The researcher pointed out that the security of the Tornado Cash mixing pool itself remains unaffected. However, if this proposal is successfully passed, it is highly likely to constitute a direct attack on the Tornado Cash DAO itself. The DAO's treasury currently holds approximately $23 million worth of TORN tokens at risk.

In 2022, Tornado Cash DAO experienced a similar attack where the attacker gained control of the protocol through a malicious governance proposal. The researcher urged all TORN token holders to remain highly vigilant before voting on the proposal.