Code injected into Tornado Cash on January 1 puts user funds at risk

Code injected into Tornado Cash on January 1 puts user funds at risk

February 27, 2024 at 09:29AM

Malicious JavaScript code in a Tornado Cash governance proposal has leaked deposit notes to a private server for almost two months, compromising fund transaction privacy and security. Security researcher Gas404 discovered the code and urged stakeholders to veto the proposal. The compromised protocol introduced the code and Tornado Cash urges users to withdraw old notes and cancel voting for the proposal.

Key takeaways from the meeting notes:

– Malicious JavaScript code has been discovered in a Tornado Cash governance proposal, compromising the privacy and security of fund transactions made through IPFS deployments since January 1.
– The security researcher Gas404 discovered and reported the malicious code, urging stakeholders to veto the malicious governance proposals.
– Tornado Cash is a decentralized mixer on the Ethereum blockchain that provides privacy for transactions through non-custodial, trustless, and serverless anonymization.
– The mixer has been used for illegal purposes, leading to sanctions and charges against the project founders for money laundering.
– Malicious code was introduced via a governance proposal from ‘Butterfly Effects’ and modified the protocol to leak deposit notes to an attacker’s server.
– Gas404 advises users and token holders to take specific actions to mitigate the risk, including withdrawing old deposit notes, canceling votes for the malicious proposal, and switching to a specific IPFS ContextHash deployment recommended and verified by Tornado Cash governance.

Full Article