Malicious Code in Tornado Cash’s Governance Proposal Poses Risks
- A malicious javascript code identified in Tornado Cash’s governance proposal poses a potential threat.
- The proposal was introduced by Tornado Cash community developer Butterfly Effects two months ago.
- While the vulnerability is identified in the IPFS version, the hacker could be easily tracked.
Recent reports highlighted a malicious javascript code present in the two-month-old governance proposal introduced by the Tornado Cash community developer Butterfly Effects. According to the findings, the funds deposited since January 1, 2024, are at risk, posing a potential exploit.
Chinese crypto reporter Colin Wu shared an X post on his official page known as Wu Blockchain, providing insights on the vulnerability identified in the malicious proposal. According to his post, the governance proposal might have resulted in the leakage of the deposit notes of Tornado Cash to a private malicious server owned by the alleged developer since January 1.
The community has found that a malicious javascript code was hidden from the 2-month-old governance proposal made by the alleged Tornado Cash community developer Butterfly Effects from the previous governance proposal 44 and thus we estimate that since Jan 1st the deposit notes…
— Wu Blockchain (@WuBlockchain) February 25, 2024
Notably, the vulnerability is identified in the IPFS version of Tornado Cash. While Tornado Cash is a decentralized privacy solution for crypto transactions maintaining anonymity, the IPFS version is resistant to censorship and surveillance. Thus, the malicious code has become a “hidden trap” for the scammer, as the version would easily track them.
According to the SlowMist Founder Yu Xian , the malicious code in the IPFS version of Tornado Cash allows for the hijacking of deposit certificates. Though there are hints for some funds to be stolen since the approval of the proposal, it is unclear how many users are affected.
The community urges users to change their notes using the recommended IPFS ContextHash deployment which was previously used for tornadocash.eth. In addition, the community asked the users to vote to veto the previously deployed proposals to restrict any possible malicious exploit hidden on the proposal contract.
Last year, a hacker stole more than $1 million through a malicious governance proposal. Allegedly granting 1.2 million votes to the malevolent proposal, they gained control over Tornado Cash’s decentralized finance (DeFi) protocol, leading to the embezzlement of funds.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Beam: 3 Reason’s Mpeppe Is Gaining Attention From BEAM and SUI investors
Beam (BEAM) Whales Migrate Into New Beam (BEAM) Rival Mpeppe Positioned To Skyrocket In 2024
Crypto Wallet Exodus Movement (EXOD) Partners with Major Hardware Manufacturer!
Exodus Movement has teamed up with Ledger, a leading hardware manufacturer, to launch a new crypto exchange aggregator.
According to JPMorgan Research Report, There Is a First in Bitcoin (BTC) Mining!
Bitcoin (BTC) mining earnings took a major dive in the first half of September, with the Bitcoin price remaining below $60,000.
Trending news
MoreCrypto prices
More
