Odaily Planet Daily News According to SlowMist's analysis of Tornado.Cash governance vulnerabilities: On May 20, Tornado.Cash suffered a governance attack, and the exploiter controlled the governance of Tornado.Cash by executing malicious proposals. On May 13, the exploiter initiated Proposal 20, and stated in the proposal that Proposal 20 was a supplement to Proposal 16 and had the same execution logic. But in fact, the proposal contract has an additional self-destruct logic, and its creator was created by create2, which has a self-destruct function, so after the self-destruction with the proposal contract, the exploiter can still deploy different bytecodes to the same address in the same way as before. Unfortunately, the community did not see the foul play in the proposed contract, and many users voted for the proposal. On May 18, the exploiter repeatedly locked 0 tokens in governance by creating a new address with multiple transactions. Taking advantage of the feature that the proposal contract can destroy and redeploy new logic, the exploiter destroyed the proposal execution contract at 7:18 (UTC) on May 20, and deployed a malicious contract at the same address, whose logic is to modify the number of tokens locked by users in governance. After the attacker modified the proposal contract, he executed the malicious proposal contract at 7:25 (UTC) on May 20. The execution of the proposal was executed through Delegatecall, so the execution of the proposal caused the token lock-up amount of the address controlled by the developer in the governance contract to be modified to 10,000. After the proposal was executed, the attacker unlocked the TORN tokens from the governance vault. The TORN token reserves in the vault have been exhausted, and the exploiter has taken control of governance.