According to PANews, SlowMist founder Yu Xian recently revealed on Twitter that the IPFS version of Tornado Cash has a backdoor code that allows for the hijacking of deposit certificates. The malicious code was reportedly introduced due to a governance attack, which led to the quiet approval of a malicious proposal. The code has been present for nearly two months, during which some attackers' funds intended for mixing may have been stolen through this backdoor.
Tornado Cash is a decentralized privacy solution that allows users to send and receive cryptocurrency while maintaining their anonymity. The IPFS version of the platform is designed to be more resistant to censorship and surveillance. However, the discovery of this backdoor code raises concerns about the security and integrity of the platform.
It is unclear how many users have been affected by this issue or how much money has been stolen through the backdoor. The Tornado Cash team has not yet released an official statement regarding the matter. Users are advised to exercise caution when using the platform and to stay updated on any developments related to this security issue.