Funds at risk? Tornado Cash warns against transactions made since January 1st 2024.
Users who have made deposits on the Tornado Cash anonymisation service since 1 January are being warned to be vigilant. Sensitive information linked to these transactions may have been compromised. What information is available so far?
Certain deposits made on Tornado Cash present a risk
Yesterday, the Tornado Cash teams issued an alert concerning an 'exploit' that occurred on or after January 1st. This warning specifically concerns users who have made a deposit on or after this date, and more specifically those who have used IPFS :
“If you made a deposit on Tornado Cash using IPFS gateways (such as ipfs.io, cf-ipfs.com, eth.link), it is likely that your information was exposed and the deposited funds are at risk.”
Tornado Cash explains that malicious JavaScript code was inserted during a governance proposal submitted by a developer called Butterfly Effects. Since January 1st, Tornado Cash's deposit information has been compromised, being sent to a “malicious private server allegedly belonging to the developer”..
The Tornado Cash teams have found that this malicious code has enabled funds deposited on Tornado Cash to be stolen on at least one occasion.
People whose funds could be at risk are encouraged to change the information associated with their deposits in order to secure their assets. To this end, they can use an IPFS gateway recommended by the teams:
“It is recommended that information be modified using the following ContextHash IPFS deployment, which was previously used for tornadocash.eth.”
Moreover, TORN token holders are encouraged to vote against two proposals submitted by user Butterfly Effects “to protect against further malicious activity”.
What to expect?
Apart from the one-off theft mentioned by the Tornado Cash teams, the exact scale of this malicious activity and the amounts involved are still unknown. Users are therefore advised to be cautious.
Tornado Cash appears to have run into difficulties in recent months. Having alerted at the end of 2023 to the lack of funds dedicated to its legal defence, the cryptocurrency shuffler also saw its TORN token removed from Binance. Since then, equity crowdfunding platform GoFundMe has cancelled a dedicated fundraising round. The cryptocurrency blender is therefore going through a difficult period, and this latest attack revealed only worsens its situation.
 
             
															 
															 
															
 
         
         
        