SharkTeam: Analysis of Tornado.Cash Proposal Attack Principle

The reason for this incident was that the community failed to discover the risks in the proposal when checking the proposal, and did not carefully verify whether the code of the proposal contract had security vulnerabilities.

Written by: SharkTeam

On May 20, 2023, Beijing time, Tornado.Cash suffered a proposal attack, and the attacker has made a profit of about 680,000 US dollars. SharkTeam conducted a technical analysis of this incident for the first time, and summarized the security precautions, hoping that subsequent projects can learn from it and build a security defense line for the blockchain industry.

1. Event analysis

Attacker address:

0x092123663804f8801b9b086b03B98D706f77bD59

0x592340957eBC9e4Afb0E9Af221d06fDDDF789de9

Attack contract:

0xAF54612427d97489707332efe0b6290F129DbAcb

0x03ecf0d22f9ccd21144a7d492cf63b471916497a

0x7dc86183274b28e9f1a100a0152dac975361353d (deployment contract)

0xc503893b3e3c0c6b909222b45f2a3a259a52752d (fake proposal contract)

Attacked contract:

0x5efda50f22d34F262c29268506C5Fa42cB56A1Ce

Initiate a proposal transaction:

0x34605f1d6463a48b818157f7b26d040f8dd329273702a0618e9e74fe350e6e0d

Attack transactions:

0x3274b6090685b842aca80b304a4dcee0f61ef8b6afee10b7c7533c32fb75486d

Attack process:

(1) First, the attacker (0x08e80ecb) initiates a proposal to the attacked contract (0x5efda50f), claiming that this proposal is a supplement to Proposition 16

(2) But there is actually an additional self-destruct function in the proposal.

(3) Unfortunately, the community did not find any problems in this proposal, and most members voted to pass this proposal.

(4) The attacker created many contracts to implement the transfer of tokens

(5) The attacker (0x08e80ecb) destroys the proposal contract (0xc503893b) and his creation contract (0x7dc86183). The attack contract (0xc503893b) was subsequently redeployed at the same address.

(6) After modifying the proposal contract, the attacker (0x08e80ecb) executes the proposal and modifies the token lock amount of the contract address under his control to 10000.

(7) After the proposal is executed, the attacker (0x08e80ecb) transfers the tokens to his own address and obtains the ownership of the attacked contract.

Vulnerability analysis: Since the creation contract (0x7dc86183) of the proposal contract (0xc503893b) is deployed through creat2, after the two contracts are destroyed, a new logic contract can be deployed on the same address, and the proposal execution is invoked in the form of a delegatecall. The attacking contract can arbitrarily modify the value in the attacked contract.

Summary of the incident: The reason for this incident was that the community failed to discover the risks in the proposal when checking the proposal, and did not carefully verify whether the code of the proposal contract had security vulnerabilities.

2. Security Recommendations

In response to this attack, we should follow the following precautions during the development process:

• When designing proposals, fully consider the security of the proposal mechanism and minimize the risk of proposals being centrally controlled. Consider reducing the value of attacks, increasing the cost of obtaining voting rights, and increasing the cost of executing attacks, etc. design.
• Before voting on the proposal, the community should carefully check whether the contract code has a backdoor.
• Before the proposal is approved, a third-party security audit company can be contacted to conduct a security audit of the contract logic code.