Recent reports highlighted a malicious javascript code present in the two-month-old governance proposal introduced by the Tornado Cash community developer Butterfly Effects. According to the findings, the funds deposited since January 1, 2024, are at risk, posing a potential exploit.
Chinese crypto reporter Colin Wu shared an X post on his official page known as Wu Blockchain, providing insights on the vulnerability identified in the malicious proposal. According to his post, the governance proposal might have resulted in the leakage of the deposit notes of Tornado Cash to a private malicious server owned by the alleged developer since January 1.
The community has found that a malicious javascript code was hidden from the 2-month-old governance proposal made by the alleged Tornado Cash community developer Butterfly Effects from the previous governance proposal 44 and thus we estimate that since Jan 1st the deposit notes…
— Wu Blockchain (@WuBlockchain) February 25, 2024
Notably, the vulnerability is identified in the IPFS version of Tornado Cash. While Tornado Cash is a decentralized privacy solution for crypto transactions maintaining anonymity, the IPFS version is resistant to censorship and surveillance. Thus, the malicious code has become a “hidden trap” for the scammer, as the version would easily track them.
According to the SlowMist Founder Yu Xian, the malicious code in the IPFS version of Tornado Cash allows for the hijacking of deposit certificates. Though there are hints for some funds to be stolen since the approval of the proposal, it is unclear how many users are affected.
The community urges users to change their notes using the recommended IPFS ContextHash deployment which was previously used for tornadocash.eth. In addition, the community asked the users to vote to veto the previously deployed proposals to restrict any possible malicious exploit hidden on the proposal contract.
Last year, a hacker stole more than $1 million through a malicious governance proposal. Allegedly granting 1.2 million votes to the malevolent proposal, they gained control over Tornado Cash’s decentralized finance (DeFi) protocol, leading to the embezzlement of funds.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.