Crosswise token was exploited on Binance Smart Chain for a total loss of 880,000 dollars for the protocol. This hacker made use of privileged function in smart contract that was exploited to set the trustedForwarder and further hijack the owner privilege of Crosswise MasterChef. This privileged function was publicly exposed.
Folks at PeckShied further added that this hack and said that the initial funds to launch the hack were withdrawn from TornadoCash and the gains too, were washed using the same service.
For those who are unaware of TornadoCash, it is a service used by people to wash the funds so that they become untraceable. That does not means TornadoCash hides the funds on blockchain – the funds are still there but simply harder to fund.
So was this really a hack? You see, Crosswise, by mistake, left a function which sets critical parameter available to _anyone_. This bug is clearly simple and easy to understand. Why not include a modifier to ensure that trusted forwarder is always equal to an address or from array of addresses specified in a constructor or contract variable.