Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesCopyBotsEarn
Malicious Code in Tornado Cash’s Governance Proposal Poses Risks

Malicious Code in Tornado Cash’s Governance Proposal Poses Risks

CoineditionCoinedition2024/02/25 16:37
By:Nynu V Jamal
  • A malicious javascript code identified in Tornado Cash’s governance proposal poses a potential threat.
  • The proposal was introduced by Tornado Cash community developer Butterfly Effects two months ago.
  • While the vulnerability is identified in the IPFS version, the hacker could be easily tracked.

Recent reports highlighted a malicious javascript code present in the two-month-old governance proposal introduced by the Tornado Cash community developer Butterfly Effects. According to the findings, the funds deposited since January 1, 2024, are at risk, posing a potential exploit.

Chinese crypto reporter Colin Wu shared an X post on his official page known as Wu Blockchain, providing insights on the vulnerability identified in the malicious proposal. According to his post, the governance proposal might have resulted in the leakage of the deposit notes of Tornado Cash to a private malicious server owned by the alleged developer since January 1.

The community has found that a malicious javascript code was hidden from the 2-month-old governance proposal made by the alleged Tornado Cash community developer Butterfly Effects from the previous governance proposal 44 and thus we estimate that since Jan 1st the deposit notes…

— Wu Blockchain (@WuBlockchain) February 25, 2024

Notably, the vulnerability is identified in the IPFS version of Tornado Cash. While Tornado Cash is a decentralized privacy solution for crypto transactions maintaining anonymity, the IPFS version is resistant to censorship and surveillance. Thus, the malicious code has become a “hidden trap” for the scammer, as the version would easily track them.

According to the SlowMist Founder Yu Xian , the malicious code in the IPFS version of Tornado Cash allows for the hijacking of deposit certificates. Though there are hints for some funds to be stolen since the approval of the proposal, it is unclear how many users are affected.

The community urges users to change their notes using the recommended IPFS ContextHash deployment which was previously used for tornadocash.eth. In addition, the community asked the users to vote to veto the previously deployed proposals to restrict any possible malicious exploit hidden on the proposal contract.

Last year, a hacker stole more than $1 million through a malicious governance proposal. Allegedly granting 1.2 million votes to the malevolent proposal, they gained control over Tornado Cash’s decentralized finance (DeFi) protocol, leading to the embezzlement of funds. 

Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.

0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!

You may also like

US stocks head into holiday week with history on their side

Let’s take a look at how US equities typically perform this time of year and what we might see in the coming days

Blockworks2024/11/27 03:33

Cardano implements first ZK smart contract

Share link:In this post: Cardano has deployed its first zero-knowledge smart contract on the mainnet through the use of the Halo 2 zkSNARKs. The technology allows for secure and private verification of computations with the help of the network without disclosing sensitive information. ADA recently crossed the $1 level and went as high as $1.15 before a 17% drop.

Cryptopolitan2024/11/27 03:33