On May 20, 2023, Tornado.Cash experienced a proposal attack, resulting in the attacker profiting approximately $680,000.
SharkTeam conducted a technical analysis of the incident and summarized security measures to serve as a lesson for future projects, aiming to strengthen the security defenses in the blockchain industry.
1. Incident Analysis
· 0x7dc86183274b28e9f1a100a0152dac975361353d(deployed contract)
· 0xc503893b3e3c0c6b909222b45f2a3a259a52752d (fake proposal contract)
(1) The attacker (0x59234095） initiated a proposal to the targeted contract (0x5efda50f) and claimed that it was a supplement to Proposal 16.
(2) However, the proposal actually contained an additional self-destruct function.
(3) Unfortunately, the community did not identify the issue within the proposal, and most members voted in favor of it.
(4) The attacker created multiple contracts to execute token transfers.
(5) The attacker (0x59234095) destroyed the proposal contract (0xc503893b) and its creating contract (0x7dc86183). Subsequently, the attacker redeployed the attack contract (0xc503893b) at the same address.
(6) After modifying the proposal contract, the attacker (0x59234095) executed the proposal and changed the locked token balance of the contracts they controlled to 10,000.
(7) Once the proposal execution was complete, the attacker (0x09212366) transferred the tokens to their own address, gaining ownership of the targeted contract.
Since the deployment contract (0x7dc86183) is deployed through create2, the fake proposal contract (0xc503893b) is deployed through create. After the two contracts are destroyed, because the bytecode of the deployment contract (0x7dc86183) has not changed, so reusing create2 deployment can be deployed to the same address, which is 0x7dc86183, and the attack contract is deployed using the create opcode, in the deployment contract ( 0x7dc86183) is destroyed, the nonce restores the initial value, so that the attack contract can be deployed to the same address 0xc503893b even when the contract is modified. And the execution of the proposal is called in the form of delegatecall, and the attacking contract can arbitrarily modify the value in the attacked contract.
Summary of the Incident:
The root cause of this incident was the community’s failure to identify the risks within the proposal and to thoroughly verify the security of the proposal contract’s code.
2. Security Recommendations
In response to the recent attack incident, it is important to follow the following guidelines during the development process:
1. When designing proposals, fully consider the security of the proposal mechanism and strive to minimize the risk of centralized control. Practical measures such as reducing the value of potential attacks, increasing the cost of acquiring voting rights, and raising the cost of executing an attack should be taken into account to ensure a well-designed proposal mechanism.
2. Before voting on a proposal, the community should carefully review the contract code for any potential backdoors or security vulnerabilities.
3. Prior to proposal approval, it is advisable to engage a third-party security audit firm to conduct a thorough security audit of the contract logic code.