Tornado Cash Suffers Governance Attack
Monday, May 22, 2023
Tornado Cash suffers a governance attack.
Vitalik warns against overextending Ethereum's social consensus.
Lyra deploys new vaults with support for USDC.
Nimbus releases a medium-urgency client update.
Delegate to ETH Daily during Delegation Week!
Tornado Cash Suffers Governance Attack
Tornado Cash suffered a catastrophic governance attack over the weekend, allowing an attacker to take full control of the Tornado Cash DAO. As a result, locked votes, the TORN treasury, tornadocash.eth, and Tornado Cash Nova are compromised. Users of Tornado Cash Nova, which is an implementation of Tornado Cash on Gnosis Chain, are urged to withdraw funds as soon as possible.
Tornado Cash classic pools are currently unaffected. According to BlockSec, an attacker convinced TORN governance into approving a seemingly ordinary proposal contract and used a trick in CREATE and CREATE2 to create a contract with the same address but with different bytecode. The attacker self-destructed the initial proposal and deployed a new malicious contract using the same address. Here’s a TLDR by Harpie.
Tornado Cash Hacker Proposes DAO Recovery
The Tornado Cash attacker submitted a new governance proposal seeking to restore the state of Tornado Cash governance. When the Tornado Cash attacker deployed the malicious contract, they granted themselves 1.2 million TORN tokens, effectively gaining full control over the DAO. The new proposal seeks to burn the 1.2 million tokens.
TORN token holders don’t have a say in the proposal’s outcome, as the attacker already controls the DAO and has already voted in favor of his own proposal. The proposal is set to be executed on Friday, May 26th. Users warn that the attacker may just be using the proposal to increase the price of TORN before selling his tokens.
Vitalik On Overloading Ethereum's Social Consensus
Vitalik Buterin published a new blog warning against solutions that attempt to recruit Ethereum social consensus for their own application’s benefit. Solutions that create incentives to attempt a fork of Ethereum pose a high systemic risk. Vitalik outlines three categories where such a solution could exist, including price oracles, re-staking, and L2 projects that depend on L1 for recovery.
Vitalik presents a theoretical example, where if a large L2 project suffers an exploit that results in a loss of all user funds, it would levy on Ethereum to fork the L1 chain to restore user funds. The situation would also reinforce too-big-to-fail dynamics in which larger projects have a better chance of getting a bailout than smaller ones.
Vitalik also mentions the Ethereum Classic hard fork, which used Ethereum’s social consensus to bail out users affected by The DAO hack. Externalizing dispute resolution to Ethereum burdens Validators and the Ethereum community with additional responsibilities, which Vitalik says could lead to a community split.
Lyra Deploys Newport Upgrade On Optimism
Lyra Finance deployed its Newport upgrade on Optimism. Users can now deposit USDC into market maker vaults for ETH, WBTC, ARB, and OP on Optimism. Previously, Lyra only supported sUSD as the options protocol is built on Kwenta. A portion of USDC liquidity is still converted into sUSD. Options on the new contract will go live this week.
Lyra governance approved the upgrade last week. Newport allows Lyra market maker vaults to partially collateralize short positions with cash, removing the need to swap base assets for hedging purposes. It also introduces support for Synthetix Perps V2. Users with assets in older Optimism vaults are advised to withdraw and migrate liquidity into the new vaults.
Nimbus v23.5.1 Medium-Urgency Release
Nimbus released v23.5.1 of its consensus layer client. The release is a medium-urgency upgrade that includes a fix for an issue introduced in v23.4.0, which caused missed block proposals for users with an external block builder. The release also includes support for incremental pruning. Prysm also released v4.0.5, a recommended upgrade that includes improvements to attestation aggregation.