Malicious code found in Tornado Cash governance proposal

Malicious code found in Tornado Cash governance proposal


Share link:


  • A developer allegedly inserted malicious JavaScript into a Tornado Cash governance proposal, exposing user deposit notes since January 1st.
  • The exploit specifically targeted users of Tornado Cash through IPFS gateways, risking the exposure and theft of their funds.
  • Technical analysis revealed the exploit code’s mechanism, designed to secretly forward deposit notes to the attacker’s server.

Tornado Cash, a name that stood for privacy, security, and controversy in the crypto community, has just been hit by a concerning revelation. A developer, known among the community as Butterfly Effects, allegedly smuggled malicious JavaScript into a governance proposal, catching everyone off guard. Since the beginning of the year, it appears that anyone who used IPFS gateways to interact with Tornado Cash might have had their deposit notes compromised, sending them straight to a server under the control of the supposed developer.

For the uninitiated, Tornado Cash serves as a non-custodial privacy solution, allowing users to make transactions on the Ethereum network without leaving a trace. This recent exploit revolves around a piece of code that was meant to remain unnoticed. It was designed to snatch deposit notes and funnel them to a private server, all under the guise of a benign governance proposal.

But here’s where things get interesting: the exploit targeted transactions made through IPFS deployments of Tornado Cash. In other words, if you interacted with Tornado Cash using local interfaces, breathe a sigh of relief—you’re in the clear, thanks to the transparency and auditability of direct contract interactions.

The exploit itself is a crafty piece of work. I am actually impressed by the work. Basically, it encodes private deposit notes to masquerade as call data, sneakily using the window.fetch function to transmit this sensitive information to the attacker’s server.

The community discovered the exploit code through platforms like Cloudflare IPFS and its links to a suspicious Ethereum address. However, there’s a silver lining in the form of recovery steps that users and the community can take to safeguard their assets and the integrity of Tornado Cash. One important measure involves switching to a recommended IPFS ContextHash deployment, which could shield users from further harm. This deployment is validated through prior governance proposals.

As usual, the community is rallying together, with entities like ZeroTwoDAO and Gas404 developers advocating for a proactive stance against such exploits. Their call to action is for TORN holders to exercise their voting rights and veto proposals that might harbor malicious code.

Disclaimer: The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decision.

Share link:

Jai Hamid

Jai Hamid is a passionate writer with a keen interest in blockchain technology, the global economy, and literature. She dedicates most of her time to exploring the transformative potential of crypto and the dynamics of worldwide economic trends.

Most read

Loading Most Read articles...

Stay on top of crypto news, get daily updates in your inbox

Related News

Gurbir Grewal Reflected About Efforts of Compliance of Crypto-Industry.
Subscribe to CryptoPolitan