A popular token mixer, Tornado Cash, is facing a security threat as a malicious code has been inserted into its back end, putting user deposits at risk.
A community member named Gas404 discovered that a hidden javascript code was added to a recent governance proposal submitted by an alleged Tornado Cash developer.
This code redirects deposit data to a public server controlled by the same developer, with functions designed to leak deposit data and even steal deposits.
Gas404 revealed that at least one deposit has already been stolen using this exploit, as observed on etherscan. To address the security issue, Gas404 proposed a revert to a previous IPFS ContextHash deployment used in an earlier version of Tornado Cash.
The situation with the token mixer deteriorated even more when the volume of its trading decreased by more than 90% after the sanctions of the U.S. Treasury Department in August 2022. Tornado Cash has been under scrutiny and it has affected its user base and its activity.
The Tornado Cash malicious code incident demonstrates that the decentralized platforms are not safe, and therefore, more strict security measures in the crypto world are needed.
Also Read: Tornado Cash Fundraiser Halted by GoFundMe