Tornado Cash Governance Takeover

On May 20, 2023, the Tornado Cash DAO was taken over by an attacker who exploited a subtle property of contract redeployment. The malicious proposal claimed to be byte-identical to an earlier, community-approved proposal — so voters approved it. After it passed, the attacker selfdestructed the proposal logic and redeployed entirely different malicious code at the same address, seizing 1.2 million votes against ~70,000 legitimate ones and draining the DAO. Net theft: approximately $2.17 million (Rekt's leaderboard lists $750K, reflecting a different accounting of realised value). The attacker later returned governance control.

What happened

Tornado Cash's DAO executed approved proposals via delegatecall into a proposal contract. The attack abused the difference between when voters review a proposal and when its code actually executes:

1. The attacker submitted a proposal with logic that appeared identical to a previously-approved, trusted proposal. Voters, recognising the "same" code, approved it.
2. The proposal contract contained a hidden emergencyStop() function with selfdestruct.
3. After the proposal passed but before/at execution, the attacker called emergencyStop(), destroying the proposal contract's code and — critically — resetting the deployment nonce / freeing the address.
4. The attacker redeployed completely different malicious code to the same address (using the CREATE2-style address-reuse property that selfdestruct enabled at the time).
5. When the DAO executed the "approved" proposal via delegatecall, it now ran the attacker's substituted malicious code — which minted 10,000 governance votes to each of many attacker-controlled addresses, totalling 1.2 million votes against the ~70,000 legitimate votes in existence.
6. With supermajority control, the attacker drained the DAO's TORN holdings and locked router fees.

Aftermath

• TORN token fell ~40-50% on the news.
• In an unusual turn, the attacker — after demonstrating total control — submitted a proposal to restore legitimate governance and relinquished control, returning the DAO to its community. They kept the realised token proceeds.
• The incident became a canonical case study in the danger of selfdestruct-enabled address reuse and the gap between proposal review and proposal execution.

Why it matters

The Tornado Cash governance attack is one of the most technically elegant exploits in the catalogue, and it teaches two distinct lessons:

1. "The code you reviewed is not necessarily the code that executes." Governance voters reviewed code at proposal-submission time; the code that ran at execution time was different, because selfdestruct + redeployment let the attacker swap the contract's bytecode at a fixed address. This is the same structural lesson as Swaprum and Hope Finance (deployed ≠ audited), generalised to governance.

2. selfdestruct-enabled address reuse is a foundational hazard. The attack depended on the EVM property (since constrained by EIP-6780) that selfdestruct freed an address for redeployment with different code. The exploit is one of the highest-profile reasons the EVM's selfdestruct semantics were subsequently tightened.

The attacker's choice to return governance control is also notable — one of several catalogue cases (Mango Markets, the DODO white-hats, this) where the perpetrator's relationship to the funds was ambiguous between "thief" and "aggressive demonstrator." The legal and ethical line — does executing logic the contract permits constitute a crime? — remains the unresolved question that runs through the entire DeFi-exploit era.