User deposits on token mixer Tornado Cash are reportedly at risk following the insertion of malicious code in the protocol’s back end, according to a Medium post by community member Gas404.
The post explains that a malicious javascript code was hidden from a two-month-old governance proposal submitted by an alleged Tornado Cash developer on Jan. 1. The code redirects deposit veri to a public server hosted by the alleged developer.
The function of the exploit is to leak Tornado Cash deposit veri and there is also a function to steal a deposit itself. According to Gas404, one deposit was stolen out of this batch seen on etherscan.
Tornado Cash trading volume nosedived by more than 90% after the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) sanctioned Tornado Cash in August 2022.
Gas404 has proposed that Tornado Cash should revert to a previous IPFS ContextHash deployment used in a previous version of TornadoCash.