• Tornado Cash deposits and deposit data is reportedly at risk.

  • A proposal has been made to revert back to a previous version of the protocol's IPFS deployment.

User deposits on token mixer Tornado Cash are reportedly at risk following the insertion of malicious code in the protocol's back end, according to a Medium post by community member Gas404.

The post explains that a malicious javascript code was hidden from a two-month-old governance proposal submitted by an alleged Tornado Cash developer on Jan. 1. The code redirects deposit data to a public server hosted by the alleged developer.

The function of the exploit is to leak Tornado Cash deposit data and there is also a function to steal a deposit itself. According to Gas404, one deposit was stolen out of this batch seen on etherscan.

Tornado Cash trading volume nosedived by more than 90% after the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) sanctioned Tornado Cash in August 2022.

Gas404 has proposed that Tornado Cash should revert to a previous IPFS ContextHash deployment used in a previous version of TornadoCash.