A researcher from the L2BEAT platform has issued a critical warning regarding a suspicious governance proposal submitted to the Tornado Cash DAO on June 25, 2026. The proposal involves an unverified target contract, a significant departure from standard protocol, which experts believe could lead to the misappropriation of community funds. While the primary privacy-preserving liquidity pools remain unaffected, the DAO’s treasury, holding approximately $12.4 million in TORN tokens, is reportedly at risk if the malicious code is executed.
Unverified Contract Raises Security Alarms
The threat was identified by researcher @sergeyshemyakov, who noted that the proposal’s target contract lacks verification on blockchain explorers. This lack of transparency is highly unusual for the decentralized mixer's governance process. Investigation into the proponent's history revealed that the creator’s address was funded just four days prior to the submission via Railgun, a private decentralized finance (DeFi) protocol.
- Submission Date: June 25, 2026
- Funding Source: Railgun privacy protocol
- Risk Mechanism: Potential "delegatecall" vulnerability
- Asset at Risk: TORN tokens held in the DAO treasury
Technical Implications of the Delegatecall
If the proposal reaches the required quorum and is executed, the Tornado Cash governance contract will perform a delegatecall to the unverified target contract. In Ethereum-based smart contracts, a delegatecall allows the target contract to execute code in the context of the caller's state, essentially giving the malicious contract full control over the DAO’s permissions and assets. This specific function is often utilized in governance exploits to bypass security hurdles and drain communal treasories.
"The Tornado Cash fund pool itself is secure, but this proposal could directly target the Tornado Cash DAO, which currently holds approximately $12 million worth of TORN tokens", stated Sergeyshemyakov.
The current situation highlights the ongoing vulnerabilities within decentralized autonomous organizations (DAOs) when governance participants fail to scrutinize unverified code. While the privacy-mixing functionality of the blockchain protocol remains structurally sound, the TORN token holders are urged to exercise extreme caution and reject the proposal to prevent a massive capital flight from the ecosystem.
Frequently Asked Questions
Quick answers to the most common questions about this topic.