Tornado Cash Supposedly Hit by Backend Exploit and Endangering User Deposits
The vulnerability allows for the theft of deposit data as well as funds that have been placed.
A member of the community named Gas404 wrote a post on Medium in which he said that user deposits on the token mixer Tornado Cash are purportedly in danger as a result of the introduction of malicious code into the back end of the protocol.
In the document, it is explained that malicious JavaScript code was concealed inside a governance proposal that was more than two months old and had been filed on January 1 by a claimed Tornado Cash developer. Data pertaining to deposits is redirected by the code to a public server that is maintained by the purported developer.
The exploit has two functions: the first is to steal a deposit itself, and the second is to expose information on Tornado Cash deposits. Gas404 reports that one deposit was taken from the quantity identified by etherscan.
Following the sanctioning of Tornado Cash by the Office of Foreign Asset Control (OFAC) of the United States Treasury Department in August 2022, the trading volume of Tornado Cash saw a sharp drop of more than 90 percent.
Gas404 has suggested that Tornado Cash should return to an earlier IPFS ContextHash deployment that was used in an earlier version of TornadoCash at some point in the future.
Also Read: Microstrategy’s X account was hacked and an airdrop scam is being promoted February 26, 2024