User Alert: Tornado Cash Developers Warn of Risk to Funds Deposited Since Jan. 1

‘Malicious Javascript Code’

Developers of Tornado Cash, a smart contract-based cryptocurrency mixer, have issued a scam warning to users who made deposits via the financial services firm IPFS’ gateways starting Jan. 1. The developers assert that such users’ deposit notes may have been exposed to a “malicious javascript code.”

The developers suspect that an exploiter may have “leaked” Tornado Cash deposits during this period to a server under their control. In a Medium post confirming the code’s existence, the developers revealed that the code had been concealed from the governance proposal submitted by Butterfly Effects, a Tornado Cash community developer.

However, according to the developers, the said deposit leak seemingly applied to IPFS deployments of Tornado Cash only. For users who interacted with the contract using local interfaces, the situation is different, the developers said. As per the Medium post, the latter users are considered “safe” since changes on commits can be “easily audited.”

Depositors Advised to Alter Deposit Notes

Meanwhile, the developers provided a breakdown of how the exploiter used the code to divert funds from at least one depositor.

“The function above encodes private deposit notes to be seen like call data and it hides window.fetch function to not be seen as a function that leaks deposit information to a personal server of the exploiter.”

To prevent the exploiter from repeating this action, the developers advised depositors to transition their notes via a recommended and previously utilized IPFS context hash deployment. Furthermore, they also called on TORN token holders to veto any proposals that have also been deployed by the exploiter.

What are your thoughts on this story? Let us know what you think in the comments section below.