createaddress = hash(sender, nonce)create2address = hash(0xFF, sender, salt, bytecode)- The addresses of contracts created with the
createandcreate2methodology can be pre-computed.
- A person from TornadoCash deploys their
TornadoCashDAOcontract. Responsible for approving and executing proposals. - Attacker deploys contract
DeployerUsingCreate2. A contract that will deploy another contact calledDeployerUsingCreateusingcreate2. The address ofDeployerUsingCreatewill always be fixed at0xXYZbecausecreate2is based on the bytecode of the contract being deployed. - Attacker calls
DeployerUsingCreatecontract with normalcreateto deployProposalcontract at address be0xABC. The contract address of a contract being deployed withcreatedepends on the sender and nonce. It can also be pre-computed just like create2, except using sender and nonce rather than the bytecode. - The people at TornadoCash governance voted that the
Proposalcontract at address0xABCwas not malicious.selfdestructwas somehow hidden in the code. TheTornadoCashDAOthen contract callsapproveforProposal. The contract address0xABCassociated withProposalcan now callexecutewhenever they want, which is a delegate call to the DAO. However,Proposaldoesn't actually contain any directly malicious code. The attacker needs to deploy a malicious contract at the same address ofProposalnow. - Attacker selfdestructs
ProposalandDeployerUsingCreatecontracts. Self destructingDeployerUsingCreateallows for the nonce to be reset, if the attacker can manage to deployDeployerUsingCreateto the same address. - Attacker redeploys
DeployerUsingCreatecontract withDeployerUsingCreate2usingcreate2.DeployerUsingCreatewill have the same address of0xXYZbecause it's bytecode is the same. - Attacker deploys
Attackcontract withDeployerUsingCreateusingcreate, which also gives it the same address ofProposalof0xABC. This is because the sender is the same,DeployerUsingCreate, and the nonce is 0, the same as before. Effectively, the attacker had to find a clever way to reset the nonce to 0 in order to make another contract at the same address. - Attacker runs
executeProposalinsideAttack, which invokes a delegatecall insideTornadoCashcontract from it'sexecutefunction, allowing the malicious code fromAttackto be run in the context ofTornadoCash.TornadoCashthought this contract wasProposal, since it's address is the same, and is already verified, but it's actuallyAttack.
- Deploy
TornadoCashDAOwith an Address 'A', representing an entity associated with TornadoCash DAO. - Attacker deploys
DeployerUsingCreate2contract with address 'B', representing the attackers address. - Attacker calls
deployfunction fromDeployerUsingCreate2to deployDeployerUsingCreate, attacker retrieves address ofDeployerUsingCreate. - Attacker calls
deployProposalfunction fromDeployerUsingCreateto deploy the innocentProposalcontract, attacker retrieves address ofProposal. - TornadoCash DAO votes to approve the
Proposalcontract, and thenTornadoCashDAOcontract callsapproveforProposal. - Attacker calls
emergencyStopandkillforProposalandDeployer, self destructing both. - Attacker calls
deployfunction fromDeployerUsingCreate2to deployDeployerUsingCreateagain. The address is the same as before. - Attacker calls
deployAttackfunction fromDeployerUsingCreateto deploy the maliciousAttackcontract. The address is the same asProposal. TornadoCashDAOcallsexecuteto bring in the proposal's update. It uses a delegatecall to call theexecuteProposalfunction inAttack. TheexecuteProposalfunction is malicious inAttack, and changes the owner to theAttackcontract.
- Assume
selfdestructis malicious even if coming from a trusted source. Carefully analyze the code and exactly why it was added. - Be wary of delegatecalls as always.
- A contract can be re-created at the same address after having been destroyed. But it is possible for that newly created contract to have a different deployed bytecode even though the creation bytecode has been the same. Iif the constructor can query external state that might have changed between the two creations and incorporate that into the deployed bytecode before it is stored.