Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesCopyBotsEarn
Malicious Code in Tornado Cash’s Governance Proposal Poses Risks

Malicious Code in Tornado Cash’s Governance Proposal Poses Risks

CoineditionCoinedition2024/02/25 16:37
By:Nynu V Jamal
  • A malicious javascript code identified in Tornado Cash’s governance proposal poses a potential threat.
  • The proposal was introduced by Tornado Cash community developer Butterfly Effects two months ago.
  • While the vulnerability is identified in the IPFS version, the hacker could be easily tracked.

Recent reports highlighted a malicious javascript code present in the two-month-old governance proposal introduced by the Tornado Cash community developer Butterfly Effects. According to the findings, the funds deposited since January 1, 2024, are at risk, posing a potential exploit.

Chinese crypto reporter Colin Wu shared an X post on his official page known as Wu Blockchain, providing insights on the vulnerability identified in the malicious proposal. According to his post, the governance proposal might have resulted in the leakage of the deposit notes of Tornado Cash to a private malicious server owned by the alleged developer since January 1.

The community has found that a malicious javascript code was hidden from the 2-month-old governance proposal made by the alleged Tornado Cash community developer Butterfly Effects from the previous governance proposal 44 and thus we estimate that since Jan 1st the deposit notes…

— Wu Blockchain (@WuBlockchain) February 25, 2024

Notably, the vulnerability is identified in the IPFS version of Tornado Cash. While Tornado Cash is a decentralized privacy solution for crypto transactions maintaining anonymity, the IPFS version is resistant to censorship and surveillance. Thus, the malicious code has become a “hidden trap” for the scammer, as the version would easily track them.

According to the SlowMist Founder Yu Xian , the malicious code in the IPFS version of Tornado Cash allows for the hijacking of deposit certificates. Though there are hints for some funds to be stolen since the approval of the proposal, it is unclear how many users are affected.

The community urges users to change their notes using the recommended IPFS ContextHash deployment which was previously used for tornadocash.eth. In addition, the community asked the users to vote to veto the previously deployed proposals to restrict any possible malicious exploit hidden on the proposal contract.

Last year, a hacker stole more than $1 million through a malicious governance proposal. Allegedly granting 1.2 million votes to the malevolent proposal, they gained control over Tornado Cash’s decentralized finance (DeFi) protocol, leading to the embezzlement of funds. 

Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.

0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!

You may also like

Trump and Wall Street: How long will the love affair last?

Share link:In this post: Wall Street loved Trump’s win at first—stocks jumped, Bitcoin soared, and borrowing costs hit rock bottom, but some sectors started cracking fast. Tax cuts and deregulation made financial and energy stocks shoot up, but tariffs and plans to deport workers freaked out economists and markets. Tariffs mean higher prices for Americans, and even Walmart’s warning it’ll have to raise prices if Trump pushes through with his trade war.

Cryptopolitan2024/11/24 03:44