Share this article
Finance
Tornado Cash Reportedly Suffers Backend Exploit, User Deposits at Risk
The exploit has the function to steal deposit data and deposited funds.
Updated Mar 8, 2024, 10:10 p.m. Published Feb 26, 2024, 3:08 p.m.
- Tornado Cash deposits and deposit data is reportedly at risk.
- A proposal has been made to revert back to a previous version of the protocol's IPFS deployment.
User deposits on token mixer Tornado Cash are reportedly at risk following the insertion of malicious code in the protocol's back end, according to a Medium post by community member Gas404.
The post explains that a malicious javascript code was hidden from a two-month-old governance proposal submitted by an alleged Tornado Cash developer on Jan. 1. The code redirects deposit data to a public server hosted by the alleged developer.
The function of the exploit is to leak Tornado Cash deposit data and there is also a function to steal a deposit itself. According to Gas404, one deposit was stolen out of this batch seen on etherscan.
Tornado Cash trading volume nosedived by more than 90% after the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) sanctioned Tornado Cash in August 2022.
Gas404 has proposed that Tornado Cash should revert to a previous IPFS ContextHash deployment used in a previous version of TornadoCash.
Oliver Knight
Oliver Knight joined CoinDesk as a news reporter in April 2022. Before joining CoinDesk, Knight was the Chief Reporter at Coin Rivet for three years. Having graduated with a journalism degree from Birmingham City University, Knight went on to work at various sports publications before diving into the world of Bitcoin in 2014. He does not have any crypto holdings.
