Give me Warnings! Tornado Cash’s Proposal Incident
Yet another post on Tornado Cash’s incident, but the problem is much bigger.
In DeFi, we keep learning our lessons the hard way. That is, losing assets to a properly crafted scam, exploit or trick. The most recent event that highlights that even technical folks are being tricked into trusting is the Tornado Cash governance incident.
On the 20th of May, a new proposal was submitted to TC governance, Proposal #20. It did not look suspicious, but proposals should not be blindly trusted and the code should be checked. The proposer stated Use same logic of proposal #16 and indeed it looked pretty similar! so it was deemed benign.
But pretty similar is not good enough for security, as you already know by now. The following additional code was sneaked in:
function emergencyStop() public onlyOwner {
selfdestruct(payable(0));
}After the proposal passed, the attacker triggered selfdestruct and deployed new code through the handy create2 . This time they included arbitrary code that would be executed shortly after by the Governance contract.
This post is not to discuss the impact of the attack or the technicalities of how to deploy contracts to the same address through create2. Just to bring attention to the need for improved UX when informed decisions need to be made. Not just when a plain user signs their first transaction, but when technical folks deal with day-to-day tasks that require sharp attention to detail but more often than not result in a swift “LGTM” after a quick glance.
This highlights two problems with standard governance procedures:
- Voters may not the well-versed enough in a technical sense to vet a proposal.
- Even technical users can easily be tricked by a poor user experience (UX).
We will leave the first point for another (potentially long) discussion, but the second point is a generic problem and one of the big blockers to the mass adoption of Defi and Web3 in general.
We don’t even have to look as far as governance proposals. Even basic transaction signing is intimidating for less technical users (and expert users alike) as those long JSON messages may look like dark magic. Sometimes, you don’t even get JSON. Still, you should not “click through” without paying attention or risk your funds to approve-all requests or various scams.
However, the need for more user-friendly flows turns into an issue even for the more technical pals. It is not a matter of not being aware of the risks, but helping the user focus on the potentially concerning bits. Although sometimes perceived as redundant, being reminded that “this is the moment that you should make an informed decision!” or “Have you double-checked <this>?” could save you. Just think about when you incorrectly closed a document you were working on and the “Unsaved changes, do you really want to exit?” message saved you an hour's work.
We cannot tell for sure, but if the process of reviewing the Tornado governance proposal code included a powerful UX/UI, we could maybe have seen a very different outcome. Having a handy environment that highlights important sections of the code and prompts the reviewer to explicitly accept each warning or recommendation before marking the code as trustworthy will reduce the number of tired LGTMs crossing our minds.
