The Tornado Cash saga, one of the most dramatic incidents in the short history of cryptocurrency, has finally reached its conclusion. The story that unfolded over the past few months has been as tumultuous as it is instructive, featuring a hostile takeover by a malicious hacker who seized control of Tornado Cash’s blockchain protocol by hijacking its governance mechanism. Yet, in an unexpected twist, the hacker decided to relinquish control and hand the reins back to the community.
Tornado Cash, a cryptocurrency smart contract mixer known for enabling users to deposit and withdraw crypto from different addresses without leaving a trace, became the target of an aggressive hack on May 27, 2023. This action, which resulted in the hacker obtaining control over 1.2 million votes—effectively the majority—was discovered by security researcher @samczsun from Paradigm, who immediately flagged the troubling development on social media.
However, after the initial shock of the hostile takeover, the saga took an unexpected turn. Despite managing to steal 483,000 Tornado Cash (TORN) tokens, worth around $890,000, and launder these stolen funds through the Tornado Cash Router, the attacker then proposed fixing the vulnerability they had exploited. Most surprisingly, the hacker sought to return control of the platform to its rightful community. The proposal was met with overwhelming support, receiving 517,000 token votes in favor and no votes against.
Despite this unexpected resolution, the saga raises numerous questions about the security and governance of decentralized systems. Furthermore, it reignites the debate on the need for clear laws governing the still-nascent crypto space. As Nansen reporter Martin Lee pointed out, even though the hacker returned the majority of the stolen tokens, they still saved 39,000 TORN for themselves, worth around $160,000.
This incident marks the latest in a string of challenges faced by Tornado Cash. In June 2022, $100 million was stolen from Horizon Bridge and transferred to an address belonging to Tornado Cash. This, coupled with allegations that the protocol was used for money laundering by North Korea’s hacker group Lazarus, led to Tornado Cash being officially sanctioned by the United States Treasury in August 2022.
The saga also throws a spotlight on the broader issue of crypto tumblers. While they enable transactions to remain virtually untraceable, they are also open to misuse by malicious actors looking to launder illegal money. This duality is reflected in Tornado Cash’s position, a preferred tool for some, but a contentious platform for others.
The crypto world is no stranger to hacks and security breaches. The $6 million phishing-as-a-service offering by Inferno Drainer, the discovery of a vulnerability in SatoshiLabs’ Trezor T model crypto wallet by crypto recovery company Unciphered, and the flaw found in the cross-chain protocol Celer that could enable hackers to disrupt the platform’s governance process are all recent examples. These incidents underscore the need for users to be vigilant about protecting their digital assets and staying informed about potential security risks.
Tornado Cash Explained: A Revolution in Cryptocurrency Transactions
To fully grasp the concept of Tornado Cash, one must first understand what a cryptocurrency smart contract mixer is. Simply put, this is a tool that allows a user to deposit cryptocurrency from one address and withdraw it from another, with no traceable link between the two addresses.
Tornado Cash, a well-known zero-knowledge smart contract application, employs this technique, making it near impossible to trace the origins and destinations of the cryptocurrency moving through it.
Understanding Zero-Knowledge Proofs
The concept behind zero-knowledge proofs can be slightly challenging to wrap your head around, especially if mathematics isn’t your strongest suit. However, the core principle is straightforward: a zero-knowledge proof verifies the accuracy of a computation, without revealing any details about the inputs.
Think about it this way: you could use the RSA algorithm to demonstrate you know the prime factors of a number without revealing what they are. It’s like proving you performed a secret multiplication correctly without disclosing the numbers you used.
Zero-knowledge proofs function in much the same way, applying this principle of concealed operations to a broad range of computations, from basic arithmetic and boolean operations to complex processes like verifying the root of a Merkle Tree, or the preimage of hash functions.
A key point to remember here is that the zero-knowledge proof only verifies that a computation was carried out correctly – it does not perform the computation itself. To generate a zero-knowledge proof, the prover has to execute the computation, producing a result and an auxiliary proof to validate its correctness.
The verifier then checks this proof, using a specific algorithm, to confirm that the computation was carried out accurately and produced the claimed output. Importantly, this verification process does not reveal any information about the inputs, preserving the zero-knowledge aspect.
Tornado Cash: A Paradigm of Zero-Knowledge Proofs
Tornado Cash capitalizes on this principle of zero-knowledge proofs to facilitate cryptocurrency transactions that are virtually untraceable. A user can deposit funds from one address, and then withdraw them from a different address. The zero-knowledge proof verifies that the transaction has occurred without revealing any information about the originating or destination addresses, effectively ‘mixing’ the transaction and maintaining the anonymity of the user.
However, it’s important to note that engaging with Tornado Cash isn’t without its risks. The platform was recently targeted in a major hack, with attackers managing to gain control of a significant majority of its ERC20 voting tokens, although they later returned control of the platform. Additionally, the U.S. government has sanctioned Tornado Cash, so interacting with it might flag your wallet in future transactions with centralized exchanges.
With that said, Tornado Cash represents an innovative application of zero-knowledge proof technology, which could have far-reaching implications for the future of secure and anonymous cryptocurrency transactions. As always, users should exercise due diligence when navigating the complex and evolving landscape of blockchain technologies.