Tornado Cash Security Breach: Malicious Code Endangers User Deposits

Share IT

Key Takeaways:

  • Tornado Cash faces potential risks to its deposits and deposit data.
  • A proposal suggests reverting to a previous version of the protocol’s IPFS deployment.

Tornado Cash, a prominent token mixer, is currently grappling with a serious security threat after a malicious code was discovered in its back end, putting user deposits in jeopardy. 

According to a Medium post by Gas404, a community member, the protocol’s deposits are vulnerable due to the insertion of this malicious code.

The post outlines how a malicious javascript code, concealed within a governance proposal submitted by an alleged Tornado Cash developer on Jan. 1, redirects deposit data to a public server controlled by the same developer.

 This code has the capability to leak deposit data and even steal deposits, with at least one deposit already reported as stolen.

To mitigate this critical vulnerability, Gas404 suggests reverting to a previous IPFS ContextHash deployment used in an earlier version of Tornado Cash. Gas404 also advises users to change their notes using the recommended IPFS deployment and vote to veto previously deployed proposals to prevent further exploitation of vulnerabilities.

The community recently discovered that a malicious javascript code was concealed within a two-month-old governance proposal submitted by the alleged Tornado Cash community developer, Butterfly Effects. This revelation suggests that since Jan 1st, the deposit notes of Tornado Cash may have been leaked to a private malicious server owned by the alleged developer.

This security breach comes at a challenging time for Tornado Cash, which has already experienced a significant decline in trading volume following sanctions imposed by the US Treasury Departmentโ€™s Office of Foreign Asset Control (OFAC) in August 2022.ย 

The sanctions, part of broader measures targeting the crypto sector, have impacted the mixer’s operational scale.

The community is actively working to address the immediate security concerns and restore trust in Tornado Cash’s platform integrity. As efforts continue to rectify the situation, users are urged to remain vigilant and take necessary precautions to safeguard their deposits.

Overall, the proposed solutions aim to mitigate the risks posed by the malicious code and ensure the safety of user deposits within the Tornado Cash ecosystem.

Share IT
Aadrika Sharma
Aadrika Sharma

I enjoy writing and try to learn new things every passing day!

Can’t find what you’re looking for? Type below and hit enter!