protos.com
Researchers at L2BEAT have flagged a suspicious governance proposal submitted to the Tornado Cash DAO.
It raised eyebrows for pointing to an unverified contract, something “very unusual for Tornado Cash DAO proposals… [and] a clear indication that the proposal should be treated as malicious.”
Adding to suspicions, the address of the proposer was funded by Railgun (a competing crypto privacy protocol) just four days ago.
Sergey Shemyakov, a ZK researcher, took to X to “summon” others to examine the proposal, which “shows pretty convoluted logic.”
1/ A suspicious DAO proposal on Tornado Cash was created ~8hrs ago. Summoning @pcaversaccio (and everyone else curious) for an independent opinion!
— sergeyshemyakov, PhD 💗 (@sergeyshemyakov) June 25, 2026
Details in the thread below👇 pic.twitter.com/akCpfW4f6P
The proposal purports to define a new fee structure and “establish a brand-new dynamic deflationary economic model.”
However, Security Alliance researcher Pascal Caversaccio alleged the “malicious” intentions behind the proposal, stating that the real intention is to switch key addresses with spoofed lookalikes.
The current DAO governance address, which holds $23 million of TORN tokens, would be replaced by an attacker-controlled address which shares the same initial 15 characters.
A similar switch would be made on the staking governance proxy contract.
Caversaccio also notes that the spoofed governance address would be able to “zero out any relayer’s balance at will.” He called the proposal a “governance attack on Tornado Cash” and urged TORN holders to reject it.
All TORN up
Today’s governance attack is the latest in a long series of governance, legal and security troubles for Tornado Cash.
Tornado Cash last faced a governance attack in 2023 when a malicious proposal passed, granting an attacker a majority share of votes.
On 2023/05/20 at 07:25:11 UTC, Tornado Cash governance effectively ceased to exist. Through a malicious proposal, an attacker granted themselves 1,200,000 votes. As this is more than the ~700,000 legitimate votes, they now have full control.https://t.co/nY87XmrYgT pic.twitter.com/h9qjc3xRqz
— samczsun (@samczsun) May 20, 2023
After selling around $800,000 of TORN tokens for ETH, the attacker created a new proposal to set its voting power back to zero. Not before washing the proceeds through none other than Tornado Cash itself, though.
The following year, multiple Tornado Cash IPFS front ends were injected with malicious javascript to leak sensitive deposit information to an attacker-controlled server. Even a hacker allegedly fell victim to the trap.
In the legal sphere, Tornado Cash was sanctioned by the US Treasury in 2022, though the decision was eventually reversed last year.
Despite no longer being banned, Tornado Cash developer Roman Storm was prosecuted for conspiracy to operate an unlicensed money-transmitting business last year, following a rocky trial.
Storm’s fate continues to hang in the balance. In April, a motion for acquittal was left unresolved and prosecutors are keen to retry two counts on which the jury remained deadlocked at the end of his trial.