A security breach in a Tornado Cash governance proposal has led to the leakage of deposit notes and data to a private server for nearly two months, jeopardizing the privacy and security of fund transactions conducted through IPFS deployments.
Since January 1, transactions made via IPFS deployments such as ipfs.io, cf-ipfs.com, and eth.link gateways have been compromised due to malicious JavaScript code embedded within a Tornado Cash governance proposal.
Gas404, a security researcher, uncovered and reported the malicious code, urging stakeholders to reject the nefarious governance proposals.
Tornado Cash, a decentralized mixer on the Ethereum blockchain, offers transaction privacy through non-custodial, trustless, and serverless anonymization, utilizing a cryptographic zero-knowledge system known as SNARKs.
While Tornado Cash serves users with legitimate privacy needs, it has also been exploited for money laundering purposes, resulting in sanctions in the United States in 2022 and legal action against the project’s founders in 2023 for facilitating cryptocurrency laundering exceeding $1 billion.
The compromise occurred when malicious JavaScript code was introduced via governance proposal number 47 from ‘Butterfly Effects,’ purportedly a community developer, modifying the protocol to leak deposit notes to the attacker’s server.
Gas404 explained that the malicious function encoded private deposit notes to mimic regular blockchain transaction call data and concealed the exploitation mechanism using ‘window.fetch’ function.
Tornado Cash Developers acknowledged the breach, advising users to withdraw old and potentially exposed notes and replace them with newly generated ones. Token holders with voting rights were urged to retract their votes for proposal 47 to reverse the protocol changes and eradicate the malicious code.
However, this action does not fully eliminate the data leak risk. To mitigate the threat, Gas404 recommended potentially exposed users to transition to a specific IPFS ContextHash deployment previously endorsed and validated through Tornado Cash governance.
