Woofun AI reports that a malicious governance proposal submitted to the Tornado Cash protocol threatens $23 million in TORN tokens held within the DAO treasury. Blockchain security researcher Sergey Shemyakov identified the threat via X, warning that the proposal's contract code remains unverified, a critical deviation from standard decentralized autonomous organization transparency protocols. Unlike typical submissions where code is publicly auditable, this proposal obscures its logic, creating a direct pathway for an attacker to seize administrative control of the governance layer.

Notably, the proposer utilized Railgun, a privacy-focused tool, to receive initial funding, effectively masking the transaction history and complicating efforts to trace the source of capital. While the Tornado Cash mixing pool and user funds remain secure, the attack vector specifically targets the protocol's treasury, aiming to drain TORN tokens if the vote succeeds.

Woofun AI data shows the immediate risk is confined to the DAO's asset reserves rather than the core mixing infrastructure, yet the structural vulnerability allows hidden code to grant unauthorized administrative privileges upon approval. This incident underscores a systemic weakness in decentralized governance where complex proposal processes can be weaponized to insert malicious logic. For Tornado Cash, already navigating severe regulatory and technical hurdles, this represents a fresh assault on its operational integrity. The community must reject the proposal immediately and enforce stricter code verification mandates before any future votes. As decentralized finance expands, such targeted attacks on governance structures will likely increase, demanding heightened security diligence from all DAO participants.