en
Back to the list

DeFi has rough weekend with Aave and Tornado Cash chaos

source-logo  protos.com 22 May 2023 13:01, UTC

It’s been a chaotic weekend for decentralized finance (DeFi) as two self-executing governance proposals wrought havoc on two well-known projects.

The affected platforms are Aave, the sector’s premier lending and borrowing protocol, and Tornado Cash, a crypto mixing tool favored by privacy advocates and hackers alike.

on-chain-governance-causes-chaos-for-aave-and-tornado-cash

Aave

On Friday, an update to Aave V2 went into effect with the aim of adjusting interest rate calculations on certain assets across Ethereum, Avalanche and Polygon.

However, the new code was incompatible with the Polygon deployment of the protocol due to the formatting of the ReserveInterestRateStrategy function, according to security firm BlockSec.

.@AaveAave the latest upgrade of ReserveInterestRateStrategy in Aave V2 (Polygon) has caused a temporary halt of the protocol, impacting assets worth ~$110M!
The root cause is the new ReserveInterestRateStrategy is only compatible with Ethereum, not compatible with Polygon. https://t.co/kg5696QNPo pic.twitter.com/Ze3zSBS8Ck

— BlockSec (@BlockSecTeam) May 19, 2023

Read more: Compound Finance upgrade bug freezes $830M in crypto

The error resulted in the freezing of affected assets (USDT, BTC, ETH and MATIC), worth over $100 million in total. While inaccessible, the funds are not at risk, and users are able to top up their positions with other assets to avoid potential liquidations.

As with competitor Compound’s similar gaffe last year, Aave users will need to wait for a fix to pass through the same governance process, which takes a total of seven days.

Tornado Cash

The following day, news broke of a governance attack on Tornado Cash, a ‘mixer’ which allows users to deposit funds into shared ‘privacy pools’ before withdrawing to an untraceable address.

The attack was disguised as a genuine proposal named ‘Relayer registry penalization,’ which passed a DAO vote and was executed on Saturday.

On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz

— @samczsun.com (@samczsun) May 20, 2023

However, the attacker managed to conceal code within the upgrade which assigned their address 1.2 million votes, essentially granting them control over the project’s governance.

The protocol is designed so that funds in the privacy pools cannot be extracted by anyone except depositors. However, the attacker is able to withdraw governance tokens (which they did, selling 410,000 TORN for 430 ETH and washing the profits through none other than… Tornado Cash).

On Sunday, the attacker published a new proposal which would revert the damage done, resetting their voting power to zero.

TornadoCash attacker deployed new proposal that, if executed, would seemingly revert the damage done to the Governance functionality. Either they're giga trolling or it will end up being an expensive but not disastrous lesson in Governance security.https://t.co/QMWYFsi8kP

— 0xdeadf4ce (@0xdface) May 21, 2023

Read more: US Treasury sanctions OTC traders for aiding Lazarus hackers

Tornado Cash is a divisive project, with some claiming it’s a money-laundering service helping hackers, cybercriminals, and North Korea’s Lazarus Group wash ill-gotten gains. Others maintain it’s a necessary privacy tool for a financial environment in which every transaction is visible on-chain.

Last August, the US Treasury sanctioned Tornado Cash, and core developer Alexey Pertsev was arrested in the Netherlands. He was released, pending trial, last month.

On-chain governance

Fully on-chain voting and the automatic execution of governance decisions is often seen as the goal in DeFi, where the need to trust is avoided at all costs. However, as the chaos to Aave and Tornado Cash show, it can be a double-edged sword resulting in unintended consequences for token holders.

On the other hand, for all their talk of decentralization, many other ‘DeFi’ projects are essentially controlled by a core team of developers who are trusted to enact any changes voted for by token holders.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on Twitter, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

protos.com