After seizing control of the governance structure behind the sanctioned Tornado Cash protocol over the weekend, an anonymous hacker suspiciously proposed to put everything back the way it was.
On Friday, the hacker’s proposal passed by an overwhelming majority, and it can now be implemented by any member of the DAO over the next two days—control goes back to the community, and most changes will be reverted. But during the week the hacker had control, more than $1 million was plundered from the governance system.
The Tornado Cash protocol, an OFAC-sanctioned mixer that helps obscure crypto transactions, was created by a decentralized autonomous organization that pays for its upkeep and development. After it was exploited through a malicious governance proposal, that hacker created more than 1 million fake votes and took over the protocol. As of Friday, about 470,000 TORN tokens had been sold and swapped for ETH. In total, 572 ETH has been deposited by the hacker into Tornado Cash for laundering, the cofounder of blockchain security and auditing firm CertiK Ronghui Gu told Fortune.
Although the protocol was not immediately damaged by the hack, with the hacker still controlling many of the DAO’s funds, Tornado Cash could fall into disrepair and not further develop, said Gu, who added that this type of hack is becoming increasingly common. DAOs should have third-party audits of their code to help prevent hostile takeovers, Gu continued, but there is a drawback: Auditing every proposal slows down voting, which slows down implementation. It’s also expensive.
“The auditing process for proposals, we believe is necessary,” Gu said. “But we currently, definitely do not have such a thing as a practice in the industry.”
The exploiter’s bid to give back control is rare, but not unheard of. Because the hacker already drained a significant portion of the DAO’s funds, they likely don’t care about the actual governance system. In the past, hackers have been convinced to give back a big portion of stolen funds back if they can still keep a cut, as was the case in March, when a hacker returned more than $1 million to Tender.fi and kept a $97,000 bounty. In another case earlier this year, a team of law enforcement figures and lawyers pressured a Russian hacker to return $200 million to Euler Finance.
It’s unclear whether this hacker will return any stolen tokens.
After a 50% plummet to $3.60 following the hack, TORN has rebounded a bit, trading at $4.17 on Friday afternoon, according to CoinMarketCap. The token still was down almost 3% over the past 24 hours as investors weighed the governance system’s uncertain future.