It’s been a chaotic weekend for decentralized finance (DeFi) as two self-executing governance proposals wrought havoc on two well-known projects.
The affected platforms are Aave, the sector’s premier lending and borrowing protocol, and Tornado Cash, a crypto mixing tool favored by privacy advocates and hackers alike.
on-chain-governance-causes-chaos-for-aave-and-tornado-cash
Aave
On Friday, an update to Aave V2 went into effect with the aim of adjusting interest rate calculations on certain assets across Ethereum, Avalanche and Polygon.
However, the new code was incompatible with the Polygon deployment of the protocol due to the formatting of the ReserveInterestRateStrategy function, according to security firm BlockSec.
.@AaveAave the latest upgrade of ReserveInterestRateStrategy in Aave V2 (Polygon) has caused a temporary halt of the protocol, impacting assets worth ~$110M!
— BlockSec (@BlockSecTeam) May 19, 2023
The root cause is the new ReserveInterestRateStrategy is only compatible with Ethereum, not compatible with Polygon. https://t.co/kg5696QNPo pic.twitter.com/Ze3zSBS8Ck
Read more: Compound Finance upgrade bug freezes $830M in crypto
The error resulted in the freezing of affected assets (USDT, BTC, ETH and MATIC), worth over $100 million in total. While inaccessible, the funds are not at risk, and users are able to top up their positions with other assets to avoid potential liquidations.
As with competitor Compound’s similar gaffe last year, Aave users will need to wait for a fix to pass through the same governance process, which takes a total of seven days.
Tornado Cash
The following day, news broke of a governance attack on Tornado Cash, a ‘mixer’ which allows users to deposit funds into shared ‘privacy pools’ before withdrawing to an untraceable address.
The attack was disguised as a genuine proposal named ‘Relayer registry penalization,’ which passed a DAO vote and was executed on Saturday.
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— @samczsun.com (@samczsun) May 20, 2023
However, the attacker managed to conceal code within the upgrade which assigned their address 1.2 million votes, essentially granting them control over the project’s governance.
The protocol is designed so that funds in the privacy pools cannot be extracted by anyone except depositors. However, the attacker is able to withdraw governance tokens (which they did, selling 410,000 TORN for 430 ETH and washing the profits through none other than… Tornado Cash).
On Sunday, the attacker published a new proposal which would revert the damage done, resetting their voting power to zero.
TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they're giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP
— 0xdeadf4ce (@0xdface) May 21, 2023
Read more: US Treasury sanctions OTC traders for aiding Lazarus hackers
Tornado Cash is a divisive project, with some claiming it’s a money-laundering service helping hackers, cybercriminals, and North Korea’s Lazarus Group wash ill-gotten gains. Others maintain it’s a necessary privacy tool for a financial environment in which every transaction is visible on-chain.
Last August, the US Treasury sanctioned Tornado Cash, and core developer Alexey Pertsev was arrested in the Netherlands. He was released, pending trial, last month.
On-chain governance
Fully on-chain voting and the automatic execution of governance decisions is often seen as the goal in DeFi, where the need to trust is avoided at all costs. However, as the chaos to Aave and Tornado Cash show, it can be a double-edged sword resulting in unintended consequences for token holders.
On the other hand, for all their talk of decentralization, many other ‘DeFi’ projects are essentially controlled by a core team of developers who are trusted to enact any changes voted for by token holders.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on Twitter, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.