February 27, 2024 at 09:37AM
Malicious JavaScript code found in a Tornado Cash governance proposal has been leaking deposit data for 2 months, compromising fund transaction privacy and security. Security researcher Gas404 discovered the code and urged stakeholders to veto the proposals. Tornado Cash, an Ethereum mixer, uses SNARKs for anonymity, but has also been associated with money laundering.
Key Points from the Meeting Notes:
– A malicious JavaScript code in a Tornado Cash governance proposal has been leaking deposit notes to a private server for almost two months, compromising the privacy and security of all fund transactions made through IPFS deployments such as ipfs.io, cf-ipfs.com, and eth.link since January 1.
– Security researcher Gas404 discovered and reported the issue and urged stakeholders to veto the malicious governance proposals.
– Tornado Cash is a decentralized, open-source mixer on the Ethereum blockchain that uses cryptographic zero-knowledge systems to allow users to deposit and withdraw funds anonymously. However, it has been used for money laundering, which led to sanctions in the United States in 2022 and legal charges against the project’s founders in 2023.
– Malicious code was planted in governance proposal 47 by a community developer under the name ‘Butterfly Effects,’ modifying the protocol to leak deposit notes to the attacker’s server.
– Tornado Cash Developers confirmed the compromise and advised users to withdraw old notes and replace them with newly generated ones. Token holders with voting rights were advised to cancel their votes for proposal 47 to revert the protocol changes.
Overall, the meeting notes highlight a serious compromise in Tornado Cash’s security, leading to a data leak and potential exposure of sensitive information. The Tornado Cash community and stakeholders have been alerted to take necessary actions to mitigate the risks and address the malicious code issue.