Tornado Cash, a decentralized Ethereum mixer offering privacy for transactions, has suffered a significant security breach. A security researcher known as Gas404 uncovered malicious JavaScript code concealed within a Tornado Cash governance proposal, compromising the privacy of deposit notes and data. The breach, ongoing for nearly two months, affects all transactions made through IPFS deployments, including popular gateways like ipfs.io, cf-ipfs.com, and eth.link, dating back to January 1.
Decentralized autonomous organizations (DAOs) rely on governance proposals to set strategic directions and modify technical protocols. In this case, a proposal numbered 47, purportedly submitted by a community developer named ‘Butterfly Effects,’ introduced the malicious code. The compromised code encoded private deposit notes to mimic regular blockchain transaction call data, effectively leaking sensitive information to an external server. Tornado Cash developers have confirmed the compromise and advised affected users to withdraw and replace potentially exposed notes. Token holders with voting rights were also urged to cancel their votes for proposal 47 to revert the protocol changes and eliminate the malicious code. However, this action does not eliminate the data leak entirely. To mitigate risks, Gas404 recommends users switch to a specific IPFS ContextHash deployment previously vetted through Tornado Cash governance.
