It’s been a chaotic weekend for decentralized finance (DeFi) as two self-executing governance proposals wrought havoc on two well-known projects.
The affected platforms are Aave, the sector’s premier lending and borrowing protocol, and Tornado Cash, a crypto mixing tool favored by privacy advocates and hackers alike.
However, the new code was incompatible with the Polygon deployment of the protocol due to the formatting of the ReserveInterestRateStrategy function, according to security firm BlockSec.
The error resulted in the freezing of affected assets (USDT, BTC, ETH and MATIC), worth over $100 million in total. While inaccessible, the funds are not at risk, and users are able to top up their positions with other assets to avoid potential liquidations.
The following day, news broke of a governance attack on Tornado Cash, a ‘mixer’ which allows users to deposit funds into shared ‘privacy pools’ before withdrawing to an untraceable address.
The attack was disguised as a genuine proposal named ‘Relayer registry penalization,’ which passed a DAO vote and was executed on Saturday.
However, the attacker managed to conceal code within the upgrade which assigned their address 1.2 million votes, essentially granting them control over the project’s governance.
The protocol is designed so that funds in the privacy pools cannot be extracted by anyone except depositors. However, the attacker is able to withdraw governance tokens (which they did, selling 410,000 TORN for 430 ETH and washing the profits through none other than… Tornado Cash).
On Sunday, the attacker published a new proposal which would revert the damage done, resetting their voting power to zero.
Tornado Cash is a divisive project, with some claiming it’s a money-laundering service helping hackers, cybercriminals, and North Korea’s Lazarus Group wash ill-gotten gains. Others maintain it’s a necessary privacy tool for a financial environment in which every transaction is visible on-chain.
Last August, the US Treasury sanctioned Tornado Cash, and core developer Alexey Pertsev was arrested in the Netherlands. He was released, pending trial, last month.
Fully on-chain voting and the automatic execution of governance decisions is often seen as the goal in DeFi, where the need to trust is avoided at all costs. However, as the chaos to Aave and Tornado Cash show, it can be a double-edged sword resulting in unintended consequences for token holders.
On the other hand, for all their talk of decentralization, many other ‘DeFi’ projects are essentially controlled by a core team of developers who are trusted to enact any changes voted for by token holders.