NOTE: This thread does not mean that the proposal is not malicious, we have to verify state changes after it, but voting for our Proposal, when deployed, and it will be deployed, is necessary, independent of whether we say if 21 is safe or not.
We will post our current analysis of what state changes the execution the attackers Proposal #21 implies.
You may read the full governance attack description to first familiarize yourself with the attack, and this thread to see what we were looking at before.
Proposal #21 (proposed by the attacker), according to our examinations, seeks to revert a number of balance changes which have been made to the Governance contract, back to their original state before the exploit. This proposal will also move 483,000 TORN from the Governance contract, to the Governance Vault.
We state that this is according to our examinations, because we must, not allowing ourselves any further mistakes, initially assume, that if anything, that this could be another attempt at, for example, deceiving us, seemingly nullifying balances, but then in some way rugging 483,000 TORN, again. For this reason, we must ascertain that the mentioned behaviour of the contract is not malicious.
We will display the characteristics of the proposal which make us currently believe that it is not likely to be malicious.
The contract does NOT contain the SELFDESTRUCT / CREATE2 backdoor
In [0] the decompiled bytecode of the contract can be found. Since SELFDESTRUCT it is an opcode, it would have to be found somewhere in the decompiled code. This is NOT the case. You can compare this against the third deployed proposal contract in [1], which clearly shows a selfdestruct.
This means that the contract does not exploit the same vulnerability.
All storage addresses which have been changed in Proposal #20 are accounted for
In [2] the attacker executes his malicious proposal, as we know. If one examines the storage slot changes, then one will note that the only malicious changes are in fact the ones in the Governance contract itself, and not the Registry and Staking.
This is because, the malicious proposal logic was in fact wrapped with the execution of the logic of the expected changes, the attacker executed the expected changes such that it is not noticed that the Proposal does not behave well.
Two TORN transfers are thus expected, as are all the changes in the Registry. What we are left over with is with 102 storage slot modifications. What we most now compare is whether the addresses which are being zeroed out map exactly towards the storage addresses of all the slots. The storage addresses as well as the addresses in the Proposal #21 contract can be found below under the Resources title.
In [3] we have created a repository which demonstrates that all storage slots changed in the above mentioned transactions are accounted for by computing the storage addresses, and that the only slot which does not fit this belongs to the expected proposal.executed = true; assignment.
Our example also demonstrates that as far as balances and voting power are concerned, that the proposal, after execution, eliminates any voting power the attacker previously had. The inlined output result:
Inlined Balances Output
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EXECUTION TESTS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is expected that the attackers balances are nullified and that the Vault receives 483,000 TORN,
and that the Governance TORN balance does not otherwise change, or any other state.
Governance balance before execution: 2466122 TORN
Governance Vault balance before execution: 0 TORN
Attacker locked balance before execution: 717000 TORN
Governance balance after the execution of Proposal #21: 1983122 TORN
Governance Vault balance after the execution of Proposal #21: 483000 TORN
Attacker locked balance after the execution of Proposal #21: 0 TORN
All state other state checks completed successfully.
Below you can find instructions for running the tests which demonstrate the truth of the former statements.
Test Instructions
git clone --recurse-submodules https://git.tornado.ws/AlienTornadosaurusHex/proposal-21-test.git
yarn # or npm
# To test slots
yarn test:slots # or npm
# To test execution of the proposal and balance changes
yarn test:execution
# To test both
yarn test
Note that all of the former also implies that the padding which can be seen in the contract correctly “moves storage in place” for these storage slots to be modified. The name _balances could have as well been called by any other name, but as long as the mapping type is correct, together with the correct offset, the proper slots are modified.
Conclusion
Our current conclusion is that the proposal is not likely to be malicious. We have thought of several more criteria which we are waiting to verify at proposal execution. Until then, this, in combination with the attack description, should give a good overview of the current situation.
The proposal executes in exactly 12 hours and 41.5 minutes from the time of this post.
Resources
Attacker Addresses
0x1C406ABB1c6a3Bb12447f933b5D4293701b6e9f2
0xb4d47EE99E132e441Ae3467EB7D70F06d61b10C9
0x57400EB021F940B258F925c57cD39F240B7366F2
0xbD23c3ed3DB8a2D07C52F7C6700fDf0888f4f730
0x548Fd6e5239e9Ce96F3B63F9EEeAd8C461609dc5
0x6dD8C3C6ADD0F403167bF8d2E527A544464744Bb
0xC883Fa52D656eBF2b665f2B0C9DC69018dB19760
0x1Eb70Cb3c28BE53b287C4E4770F28a3829a57242
0xcd280F16CE0b25f85f7520a312EB6B9D76a941D4
0xeFDAad217f73355Afe99bC3Ff60BA9Fa6f4Bf51D
0x130A2AAE6C3B2a8B0403cA6b9F4e28f3Eb59b021
0xf06A447EB8ebb3Afe4849fC9Ac14eA7f5FBe480a
0xE3339Ee951522E9C8CC28534179aBF26eF6fC390
0xCDcFE3Fa83e771d3CeF8AcB0Cf494B00A625Baa0
0x427F31Efe23C994738F79B81054351a35E020300
0x7b54c6424602d38c586A73237350d74d3bB1f9e3
0x86ab338d8f95AB08869004Fa438a0608F896cc85
0xe447c398F643122bAF82d2a28f0AD743Bf03810a
0x2026e53c38c2a6d344B20774CCE003B9c82d8db4
0xe2e057027215506ba37aC14b1b3F35447BCE9E00
0x750379A427c2e905dfb93b57Ff32Cc900B982D58
0xf3aBB7F9DfEC6fA5696674e434c1291BA99D5365
0xbDf1b3b48BC47bb400Ed3a774dde6A8a8C087B08
0xbB7AaF0FC95099b624f33d421A02aF2aA9dEB30b
0xD772cA075b0832981F907d78120BB1d2dDeA9c53
0xB8BC190B76066d6C36aeA266dD35997b371Bf059
0xd77B507176504c75e6CDcF2F18E9d5efB674C898
0x59783a2693E00c2e717cdF8F6AABc30F22a2EE25
0x2099A879c81d842CB41faE11F64C430980A2489C
0xe54e212b1678DD92AbA5C19c571012fD9591f79b
0xe8746D4Ee2E21b1952f2a299A58e26217b5C83B8
0xf8DD45c936A23BEC510C3F43340E96624DC64E2a
0xEcC13e5879a24878D391728D21908c06c49a0f35
0x333fA2ea687d00235C9D30Dd8d0A1Ad9be320223
0x39bC22EB04601d10D882b3e0Ff7BC48939468111
0x656c14885D5A4d9617A5338e638E9e09F8742F89
0xE8c82D0EDA5d845eb020b93F28B4192A485ae46F
0x25bC8ce97Ff49A6e4e0FF19576fdCF4930a86470
0xe2FAD4491D606c8dc2CCE6533BA06286B55E9e59
0x211Ecb06CCB94F64a199b8c0Ab50da677F0814A1
0x86f9EF2d46D977dd5756A145697b21A45cd482aA
0xb2149729d926CadF5Fd4F441D2916f32EE1117BD
0xFcA3B56D3fcDDd26A07B4da219D23c821464E413
0xf938f086deB7BF8E21e87B7F5ca695736FB72662
0x2aD04ec2618b937B94FAf84DE1b791ea24c421CB
0xddefD8c3a56B6c94aD7C99515426f35EABd6B1eb
0xF2Faef2A542883655d17a7E1A1F45995FFd96EbD
0x1f91DFE1824F686eaE52dC427725b77491BdF1fe
0xcE3E4F2E58536c62aB884CDf6ede3d540B3Bada4
0xD587e79Af0c5739E7CE2fbC61d9BD2E93905903D
0xd526Bf6eeD41e08f553E8C81405346cA57e5681F
0xB04B6457468B638F634DE5E29b5e3695219bdD07
0x2DC89Da10a6fECd06D1cf4cD2e300892bFb330Ad
0x7D98dFAD3299c1b0A64C4491E79479E25161618E
0x8bc8f686fb9ba1b31bc700ddf1244905F490bebE
0xF6B1FB511ced4Db14c6fB811c160703EE7222a9D
0x18Bb987538429C88364a0F06762446F5f676CD82
0x5A92902142cE0A9b64A63b59E8c45222Da403ADc
0x2a748636E9a02619B4BB517C00b01Bd554100faB
0x732D52E0f3c42e3FC865b0c3D56ad74bbccF012c
0xBaE4F977BAf53c1f4353A94467116227a36E195f
0x01760D5BA7507B35C24dbE0CD33eD20C6Ebc98F2
0xfc91b2f505d759DdB8765B2Cc87510E5aCDdbAAf
0x90009a669F2e2282C6264fFa371dB25e6E5266a0
0x1783D6610a6b8E2fF172eAA09c02F347a03679eF
0x53DCF5fF9804f50B395c1105785e22ae854D8F6E
0x7d01a7eD2f35e2232388686274b28812B1c8AF89
0x81cF4BcF79E85a6827D59013B91aD077c6ce58Fe
0xaa715EBcF8432cf5821f4Aa5E9d1481FA2Ca13B5
0x9ae18da8Bfb74456DcbBD23eE2F56C35A7231339
0xBaB434Bd4DFaA4CefA56B0B7C964facaB74caD13
0x6c4204b3f40dfF763307d8cd681d02e37B55fE08
0x4134644AdcC12841De3FC895509d82e099b7f0DF
0xCa79e6797953954e0817052293FE3A8710F3583d
0x8A6DE36E0CcEfb692355E523583b99017aadc62F
0xA867B662A05e6ADba6209BEe4EB8e01764f1F27d
0x5003997c5e8b0438fef1e6Bb2ff79D73ed68C717
0x335a4d0c4AaC5A5ffD644B3b4FA443679eFa88F9
0x6F07a83384852f22c11D132b91D8c907790911f8
0x32B5694222A2191142b09d6aB17c3b3f57d4e679
0xb99f6AACf00EBFBA50519B1A37B1Ff88E0ae3f9c
0x480ACEBA484e7bBB6a57c8c5F035271C5c21014E
0x314F40B5D640876D8c53381c66B36B55D68195cC
0xcBeC349Eb9ac6656393b001EfF786CDE912c50AB
0xBFf9cb6B8BdA67485e17dD67B450A6A49e76F4bF
0xfd85628806878216d93B623B2e647D1f88Cea027
0x5b929a832690185A150e7648f9b6476487577bd4
0x28bbAdF5C8CeA27636a9cA11436030337c416400
0x9170b1c95DAaDe6fd70E640f1F6FB2911Db62468
0xC73e7c6333683F25B951941759D4b6038eC51DAE
0xd99b4C7372cC245965Bf24A1762d76228201A4b0
0x67227DDE7BD55B8C2313822b2EaDB46Eda73A4bB
0xd4D9F6f64A5bAF9D263217EB7f5AE1444A956469
0xCe85fD8b7D965e807f04F51440585Fc610B061a2
0xd70b6B4De4afa7B0205bB93E46A994C5815fb0B4
0xb06F844f02695F6cfA0152B12BcfA757B31eB154
0x1973653486856a0420Fd92a7c5264c3d4D0319B6
0xA05F1956dC591b815c66e489bf2313F1Ed39dBe9
0xBC78138A49e5BADDBE7a125659A7b4F661D2770A
0x68458586990E0d48c034E49b783B08444730d44f
0xbfFefE62Ca8e0BE1734D267767Ad5923c23bBB05
Storage Addresses
0x6d3aadf46657098374577ba61c2d96d7adfad4046c8b3d0de09a97478f27ac89
0x72f687bcd6c747751d745ed2c8b6408d07c76055e3bd7647b995fd8bf8ca6c3a
0xba41ee557ea1dbd704632da5f6f57632b2ad3a9ab7769d61f3f79f55959e7fec
0x0b6fa73d149194f8207a526c015c64d7f83fe2df97440950a9c25d34c876cef9
0xdd83f177f5751c7c3c8c8c7447b92937e5965feac90c851291228e14f54ef7c6
0x482f0166295ad6811ef35ac84f54d4c67354df00acaf0ce7522539b1aebae893
0x7c63b3c5dcc68fea8aeb5643bfc1eaff39793eaa489602c5e76d010243dc5d97
0x8021aae281c806b06b06d218de5bd5f6933d8e5359757c679a06ee2bcfd26f7b
0xdc003a2947b930c74de4d300523120c6af6089c37c453de6fd05fc3a401a1ed8
0x942419feb35a17e0e5239f56df861407c23294d7d1b19a08edde87dc24836ea8
0x0028e41502e02a6d110bf9e7e47f08b5b47c2cb013a35190a94d0567deab943f
0x9d80d6a31907970e48b4ccb632dcd3719467c2d56742aa9eb78e3040d06b87bf
0x9dda19aca9c8cad8885d5156a74a42c77598fdf11e918e8bb45e3b06b07ef537
0xae9aadbb956c5ffbf192a17dcb5a4ce60def19234ddce01e014f65a21412320e
0xb97934cf063be06a858a08a169f3a87b7bbe2d720ca826bd257a738f444cc1a6
0x55b6562d0ab5d618a6d90e4af06d0f0ee333b8742b1919795346b0a001ef63c5
0xe5c1c9b28447803340e9a3b840e92fe84d62fc0c05fa8a336cb90b54ac4bfd4e
0x9df32107684d4da77a092c9be4c6c21aec7aafed07aca5723309d6dc5cf5c4e2
0x4c1f3688bec5a250aed03d00bb325b01e0e383b7f399f15616029dc892873c00
0x17aa0613d038e18067a7fde3c399424a2f05c3786aad47a5924f1cd57cf175a8
0x7493dd99e5502fba9e4f2303fd54be4b2df693d377e9518a2546e0fc231fe053
0x2c289221b40ff38c0615a5d15a18729e909ce5db49b2a9d7283d33f62e861d61
0x294d72c4285776248cba6f302d6739c2d7b684de0515406ce80e3a101f71f6c1
0x851f09bde5ef837ebb9e5f9bba86886950c9e085c3862dc25ae1d701376fdbef
0xf369d43db749b8ed060cb9761ea1f7b7e69bedce2cd8427f38abfb2e8d22b078
0xedf2d3ec1d92b0fc48875f557d61e66f24b573a9b4a5e6630d6dc83dc9d0592b
0x1f80546c03656dfa081daa224eae10e860f3be6d4fc2532f3edbb838bb4107ac
0x480988b4f7534f538764f4f7f02ba2e37613b3334732a2d84d2b0d17a16ea4a1
0x39da7f8bc2665edfe50fe0ead4748f6a18ea7fc5575d95670d77de966895fdde
0xd1741bd550f1ce5daf5bcd6ef68e6cbad925338ac823223e9ea5c9eaae85acaa
0x1d19327db86fc8ab0dd834ea8334ed40ed43a118bd39fe7245fe6851aff2a296
0xb687ead01f5a33fa5a51ced5c707a410f5d5bc122d369b048bb04b7fbbb474a2
0x9a81376be582aede805f1b31909fdcc9bca805be04ba0aef0683bc9ca8ef64e3
0x85bfd19c6c9c37382a324193ab0345c6f6a9157ccb7527e925e5b7559975cdce
0x9cae4b8f6926897c8b7d457b002334924d5c53b9274520b6eb2e3c4470219bd8
0xbea83b759f2c5cf60fa7b1ee77f99476d02f7c177dded7dad00bcad8bcbe3189
0xeac3f14ec76a077290cb2f0e0a00e36069cd693a2cc8b52f4470425265beb8eb
0xdf30d48eea928ac3a264121cd815aca0be9a5f880ab13c1724825013f1e97b4e
0x3e6cd34f16de89b9f2ab9fedcb1d5ad455285241da4f71934d4b54fb528f6d75
0x83dc0bbfe2277f5acd9ff5c84aff11fbfe02afa89b9b968becc1841a8693d292
0x9152dac88f73916513a1734fcf8ae1b752cf8f250634647ef8babfe8ffd18767
0x93dcdfdccdb7e326adc4066765fa948f6cafb8367d7038b35d45e405c53b9bc5
0x84b9ef4f730f6d6994cf5054048dbb81724ee911b7d8c713703d055541b93ce6
0x35e8df30fa823966478b4c7ccbfcdf48526606f12569b560522b9a7bdb832966
0xc678ea5a6ea2827aabfaa2c16947475e539a2d4ca6a599e58d74d43ebe8739f7
0xf7ceb58f0e785fa265b6708922b9995fe1d8f9de7040e1352c8e24b9d6f99b38
0x581f5fe92c7c9bd8880bb3b6a999c3ee84890a5dccb531e80c1b284ccb4b5c1f
0x0daef5d973db426d96711402ec9d2b1ef62d9019e197612939e96b839217ab6b
0xe73120c3a8a54845e77ae7add2cbe6558ef75edada0457d90a718bbc5736e50c
0xbabc3cb1d0fe95e8737a0f966691d1455c7e3141808b35594abc691ce53187ff
0x3216a647a73e7e6b49bfb95b7a07e0581594f0a757b7c595a5606926338bbea7
0x0b42f6082fa1d09a1f2a8548891baab99d43d9d352056958c499f6bb8516db95
0xf8eed3494701bf7093f27b4cdb88a1db96ee5e16722d46fe14368922ac6911b8
0x097bcab3c0ff6404448fdc3a0d65d34cae67858d812d4a14009e542ce7379a5c
0x1c1954c69f6d055f270d5f92882428ece18ec6ff54eb3759e64239c0e8d1c23e
0x150b8bf1039a78e5a0cda638606e8f4fcdd81680f7d34a2208aabbe191b7fc1b
0x269c78a04e4dfbf5074505045a3753ac46173341cc9589fa7079076affb0f77c
0x7ad48440080db03c47b6c2fa9635212ebd9d47ff2066ddea22afa1d6a69dd700
0x5ea18cebf186e4735392113d2dfc23dfac681b79c9af24ba2c955012d9e905bf
0xdb7ec7a1b6335b492e5fe9c1c356552235145714d8864c4c62e5cd103356baa5
0x2f4efeaf421ecb0fa95c32712400dbb5d3565486fdf636dd49690916706b3322
0x12666a874bec0fd2b70a9ddee2e23ad2f673a2edf82a8697dcdf1eca67076928
0xefee42602cc8af3b01737c403bff4ebf8b230540a7b11a8be0a624f3612f3bc7
0x3fc11e99cae08e7938e897e6afd399fda5bba0a4137e3e7785a9134357d027fa
0x71730d531f04bb651c2cd60a84e3222e8137c14e5f2970ba41176b757236e2a8
0x03e6eba8a567dec7f20d942e88674d2efdf2461a4b455ad25698655f0669044f
0x41ba7db959aeae73d46aa24f27e0dc91fd89e1a0bf120ffeb3ecfbcdd2df6aaf
0x4fb0a7dac301a3b33dff510693f210fbe24e07dc4e4c0933d6d1830cd12d27cf
0x39dafca388ce8896de1a3c190c0b5675368daa863d7cb8eecd84ed3e108726b8
0x5176ceb27445686c36a2edefa2d88edcfc4eec9b12dda6db7c3dc8a26cae43fe
0xad45b6c20476fbf588bcd7acce8405f2805ea6b01121cda3d32a9fe0e8fbfb15
0x231753911662040066c31d2d7239446e2ed073e6be332687a33972193fba8f35
0x45326a4913073240174d9d277324eda494cd770fcb4c598f18557c243ca9983f
0x36410d90f65dbd3fb5a2650fa4b3a92f9d3e1b49519d7d88b816c8af9de7639f
0x2146e765fa517e630fb8a01fbad9a901c01bd6a89c848ba5e597c22930447729
0xe67337a5233c080bf177494a4e5ca9e13da128ad34f1ae8e70e6a59aa7de2fdb
0x7f4743894bb0ace69e24a6ed032b818d953daccdf4a1403517e25f43f80a76a3
0xcd8079ed957301668f799e4f8ac6228d75ca437bc76a8d244d1940accc949796
0xca4b8853b9b199edbd0f7474cdda032a0dd1b9a783a5ce8628552c5e5efab0f3
0x5e8da5e3ba9cb348dc0fcd6cc691804f86db7364145fd9e132171dba372b8fe3
0x2a6b2c50479bad8e10501407000a56f960929f5e4744e4379281e4f435b647dd
0x98620bb34babb5e42e493bdd3187d6629774742a1af05e7de1d356123b3ac90d
0x86320cfb33a70e7772efdd04811d47aa87fa92f56464c15b5cafba344a07c1d6
0xc969ed01517552ce438008ae9f1c870ec6d5c26c4d9167e1ddca8f0eb933ff61
0x3975949de32dff56868e0f7b8ef32a343b463796b98f7b3c6eede7af4cc98efa
0x3b2908006ad44a7a6ed535a798c50c2cef3e29461cb3b61f065dfbd38998a248
0x237535dc40aad9f7b77cb3a9cd567919c93a4b03fbd409e7eb2524edf338009d
0xc873ca3cb9d655d00a309ecce7fd13d4b330d46849585030678e8beb4b460f66
0x22660775f1ebe8e5172a28862806368c340658b7841119865133a43f61c05079
0x38507f0cbb23efee0bfebade19a26a5f0c37baa2611a0f45496f0bd55f896cb5
0x394d2e3a745c16de559b5c4ede579a1ee9f465ce30d7a011607a31d58dd2432b
0x3b31e20783be58a3e9e55e055affb07776c45bbb5c9b12310e1c64641787a223
0x951b1f66f82a28c66da634dcf3f0c28e97f6414459e298ed3e89e844193d518a
0xb72f2c84d2997a6cc7e39e7a2ee09c1cef20a79be97f7e0f234c390dce0a51b7
0x23a5870a41dce1c9f8a195e7afc3da8fe9ab98dd6048d379ece402534bf8f174
0xf849fc2cd9077d8de94fcbd0f7afb74702b31b483aa5b87138b052169725037e
0x1ed8212501dd82c05f0f150ab6c2d40978f227ef417119305b68c32bc2a31b6d
0x0377da8e9b783d7a951fdf8fd41b3f3f03f75c884809734b7437ee7cf6dc7c7c
0x5e4bca86c93855d2b6bf3f9712484931c595789b3c4ddf5125825ff7dbac8260
0x33c521d4d4e63a162f23f947a781bc2c25bf54ed4efd03e1554eca0f21ecf219
0x4f7b3628312dc38b20561a3c76dd0700b80fbdb28da3cbc754d2b665b9757347