Tornado Cash (Governance): Metamorphic contract (CREATE + CREATE2 + selfDestruct) — trojan horse governance proposal
Tornado Cash's governance was hijacked when an attacker used a metamorphic contract to swap in malicious code after a legitimate-looking proposal was approved, gaining 1.2M votes vs 700K legitimate and taking full DAO control.
Summary #
Tornado Cash (Governance) suffered a Privacy Protocol / DAO Governance on 2023-05-20, resulting in a loss of approximately $750K.
What happened #
Tornado Cash's governance was hijacked when an attacker used a metamorphic contract to swap in malicious code after a legitimate-looking proposal was approved, gaining 1.2M votes vs 700K legitimate and taking full DAO control.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A (Tornado Cash is community-governed, no active bug bounty post-OFAC sanctions)]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the attack IS the governance action; proposal submission + voting visible on-chain]