Deposits made to Tornado Cash using IPFS gateways through IPFS gateways like â ipfs.io, cf-ipfs.com, and eth.link â may have been compromised, potentially exposing usersâ deposited funds to risk, according to pseudonymous Tornado Cash developer âGas404.â
Affected users were advised to take immediate action to safeguard their deposits.
According to a blog post by Gas404, the community made a startling discovery about the presence of malicious JavaScript code, which was hidden within a governance proposal submitted by an alleged Tornado Cash developer known as Butterfly Effects.
This hidden code is speculated to have been leaking deposit notes to a private server controlled by the developer since January 1st.
Notably, the risk seems to be limited to IPFS deployments of Tornado Cash, as Gas404 mentioned that changes to the minified source code could easily be audited on local interfaces.
To mitigate the potential damage, the post recommended holders of Tornado Cashâs native token, TORN, vote for a veto on the two questionable proposals previously deployed by the exploiter.
Tornado Cash is one of the most popular crypto mixers in the world. In a major blow, the US Department of the Treasuryâs Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash in August 2022, prohibiting individuals, residents, and entities within the United States from engaging in financial transactions through the platform.
The Treasury Department alleged that the crypto mixer facilitated the laundering of over $7 billion in digital currencies, including $455 million believed to have been pilfered in 2022 by the Lazarus Group, a notorious entity linked to the North Korean government.
Subsequently, the projectâs domain was seized, and GitHub removed the Tornado Cash repository while suspending the developersâ accounts, leading to an outcry from privacy advocates. The Microsoft-owned platform later unbanned the coin mixer and contributors.
Last May, an attacker employed a deceptive proposal to wrest control of Tornado Cashâs Decentralized Autonomous Organization (DAO). The proposal contained a hidden code that granted the hacker ownership of fraudulent voting tokens upon the DAOâs approval.
Following a successful vote, the hacker amassed enough voting power to manipulate future proposals. By the end of the month, the hacker had seemingly relinquished control, having converted a portion of the stolen governance tokens valued at approximately $900,000 into Ether, which were then laundered through the Tornado Cash service.
Further complicating matters, two additional Tornado developers, Roman Storm and Roman Semenov, faced charges related to their alleged involvement in facilitating money laundering, totaling $1 billion. Roman Storm was subsequently apprehended in Washington State and pleaded ânot guiltyâ to the charges against him.
The post Tornado Cash Vulnerability: Developers Flag Depositsâ Risk Since January 1st appeared first on CryptoPotato.
Affected users were advised to take immediate action to safeguard their deposits.
User Deposits Vulnerable
According to a blog post by Gas404, the community made a startling discovery about the presence of malicious JavaScript code, which was hidden within a governance proposal submitted by an alleged Tornado Cash developer known as Butterfly Effects.
This hidden code is speculated to have been leaking deposit notes to a private server controlled by the developer since January 1st.
Notably, the risk seems to be limited to IPFS deployments of Tornado Cash, as Gas404 mentioned that changes to the minified source code could easily be audited on local interfaces.
To mitigate the potential damage, the post recommended holders of Tornado Cashâs native token, TORN, vote for a veto on the two questionable proposals previously deployed by the exploiter.
The Fall of Tornado Cash
Tornado Cash is one of the most popular crypto mixers in the world. In a major blow, the US Department of the Treasuryâs Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash in August 2022, prohibiting individuals, residents, and entities within the United States from engaging in financial transactions through the platform.
The Treasury Department alleged that the crypto mixer facilitated the laundering of over $7 billion in digital currencies, including $455 million believed to have been pilfered in 2022 by the Lazarus Group, a notorious entity linked to the North Korean government.
Subsequently, the projectâs domain was seized, and GitHub removed the Tornado Cash repository while suspending the developersâ accounts, leading to an outcry from privacy advocates. The Microsoft-owned platform later unbanned the coin mixer and contributors.
Last May, an attacker employed a deceptive proposal to wrest control of Tornado Cashâs Decentralized Autonomous Organization (DAO). The proposal contained a hidden code that granted the hacker ownership of fraudulent voting tokens upon the DAOâs approval.
Following a successful vote, the hacker amassed enough voting power to manipulate future proposals. By the end of the month, the hacker had seemingly relinquished control, having converted a portion of the stolen governance tokens valued at approximately $900,000 into Ether, which were then laundered through the Tornado Cash service.
Further complicating matters, two additional Tornado developers, Roman Storm and Roman Semenov, faced charges related to their alleged involvement in facilitating money laundering, totaling $1 billion. Roman Storm was subsequently apprehended in Washington State and pleaded ânot guiltyâ to the charges against him.
The post Tornado Cash Vulnerability: Developers Flag Depositsâ Risk Since January 1st appeared first on CryptoPotato.
![[DK]](/data/avatars/s/57/57999.jpg?1720990206){kind=avatar}
