Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesCopyBotsEarn

Tornado Cash website, discord offline after community finds malicious code in protocol’s backend

Crypto SlateCrypto Slate2024/02/26 17:07
By:Assad Jafri

The backend exploit that has put user deposits and sensitive data at risk.

Crypto mixer Tornado Cash has reportedly fallen victim to a significant backend exploit that has put user deposits and sensitive data at risk.

The security breach was revealed in a Medium post by Gas404, a community member, on Feb. 26.

The exploit represents a critical vulnerability for Tornado Cash, whose trading volume already suffered a dramatic decline following sanctions from the US Treasury Department’s Office of Foreign Asset Control (OFAC) in August 2022.

The sanctions, which were part of broader measures targeting the crypto sector, had significantly reduced the mixer’s operational scale even before the exploit.

Malicious code

According to the Medium post, malicious JavaScript code was discovered in the protocol’s backend. It was reported injected through a compromised governance proposal submitted by an individual posing as a Tornado Cash developer on Jan. 1.

The code surreptitiously redirects user deposit information to a server controlled by the attacker, posing a dual threat — the exposure of deposit data and the outright theft of the deposits themselves.

One such theft has been confirmed through transaction records on Etherscan, highlighting the exploit’s immediate impact.

The exploit’s technical details were discussed at length in the community post, illustrating the sophisticated nature of the attack.

Specifically, the malicious code was designed to encode and exfiltrate private deposit notes, effectively breaching the anonymity and security that Tornado Cash users depend on.

Proposed solution

In response to the crisis, Gas404 has proposed a solution to mitigate the damage: reverting Tornado Cash to a prior version of its IPFS deployment.

The move aims to secure the platform against the current vulnerability by utilizing a previously established and ostensibly secure infrastructure setup.

The proposed change emphasizes the urgency of addressing security flaws within decentralized platforms, where governance proposals can be manipulated for malicious purposes.

The Tornado Cash website and Discord channel were taken offline following the revelation and have yet to come back online — an indication of the exploit’s severity and the ongoing efforts to contain its repercussions.

Mentioned in this article
Tornado Cash
Latest Alpha Market Report

Disclaimer: Our writers' opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.

0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Stake to earn
CEC, QTLX, GDV and other popular new coins are in hot progress!
Stake now!

You may also like

SEC greenlights listing and trading options for BlackRock's spot bitcoin ETF

The SEC approved spot bitcoin ETFs earlier this year, but had not yet approved listing and trading for options on those products.

The Block2024/09/20 21:27