Article Details
Scrape Timestamp (UTC): 2024-02-27 14:23:36.672
Original Article Text
Click to Toggle View
Code injected into Tornado Cash on January 1 puts user funds at risk. Malicious JavaScript code hidden in a Tornado Cash governance proposal has been leaking deposit notes and data to a private server for almost two months. This leak compromises the privacy and security of all fund transactions made through IPFS deployments, such as ipfs.io, cf-ipfs.com, and eth.link gateways since January 1. A security researcher using the nickname Gas404 discovered and reported the malicious code, urging stakeholders to veto the malicious governance proposals. Tornado Cash is a decentralized, open-source mixer on the Ethereum blockchain that provides privacy for transactions through non-custodial, trustless, and serverless anonymization. It uses a cryptographic zero-knowledge system named SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) to allow users to deposit and withdraw funds anonymously. Apart from users with legitimate reasons to protect their transactions from outside observers, Tornado Cash has also been used for money laundering. The use of the mixer for illegal purposes led to sanctions in the United States in 2022 and the project's founders were charged in 2023 for helping criminals launder over $1 billion worth of stolen cryptocurrency. Planting malicious code Governance proposals in decentralized autonomous organizations (DAOs) like Tornado Cash are fundamental mechanisms for setting strategic directions, introducing updates, and modifying the core of the technical protocols. They are submitted by token holders on the chain and are subsequently discussed and voted on by the project's community. If accepted, the proposals are implemented into the protocol. In the case of the Tornado Cash compromise, malicious JS code was introduced two months ago via a governance proposal (number 47) from 'Butterfly Effects' - allegedly a community member, and modified the protocol to leak deposit notes to the attacker's server. Gas404 says that the malicious function encodes the private deposit notes to make them appear like regular blockchain transaction call data and hides the use of the 'window.fetch' function to further obfuscate the exploitation mechanism. The Tornado Cash Developers confirmed the compromise and warned about the risks, advising users to withdraw their old and possibly exposed notes and replace them with newly generated ones. Also, token holders with voting rights were advised to cancel their votes for proposal 47 to revert the protocol changes and remove the malicious code. This will not eliminate the leak of the sensitive data, though. To mitigate the risk, Gas404 advises potentially exposed users to switch to a specific IPFS ContextHash deployment previously recommended and verified through Tornado Cash governance.
Daily Brief Summary
Tornado Cash, an Ethereum blockchain mixer, had malicious code injected through a governance proposal that leaked user transaction data.
The code has been active since January 1, compromising privacy and security for users on several IPFS deployments.
The vulnerability was discovered by a security researcher known as Gas404, who alerted the community to veto the corrupted governance proposal.
Tornado Cash is known for its privacy features using zero-knowledge SNARKs but has faced scrutiny for its use in money laundering activities.
The platform's developers have recognized the breach and recommended users withdraw and regenerate their transaction notes.
Proposal 47, which introduced the harmful code, is under scrutiny, and token holders are advised to revoke their votes to mitigate the security breach.
Users are advised to switch to a specific IPFS ContextHash deployment that is considered secure following a Tornado Cash governance validation.