Tornado Cash website, discord offline after community finds malicious code in protocol’s backend
The backend exploit that has put user deposits and sensitive data at risk.
Crypto mixer Tornado Cash has reportedly fallen victim to a significant backend exploit that has put user deposits and sensitive data at risk.
The security breach was revealed in a Medium post by Gas404, a community member, on Feb. 26.
The exploit represents a critical vulnerability for Tornado Cash, whose trading volume already suffered a dramatic decline following sanctions from the US Treasury Department’s Office of Foreign Asset Control (OFAC) in August 2022.
The sanctions, which were part of broader measures targeting the crypto sector, had significantly reduced the mixer’s operational scale even before the exploit.
Malicious code
According to the Medium post, malicious JavaScript code was discovered in the protocol’s backend. It was reported injected through a compromised governance proposal submitted by an individual posing as a Tornado Cash developer on Jan. 1.
The code surreptitiously redirects user deposit information to a server controlled by the attacker, posing a dual threat — the exposure of deposit data and the outright theft of the deposits themselves.
One such theft has been confirmed through transaction records on Etherscan, highlighting the exploit’s immediate impact.
The exploit’s technical details were discussed at length in the community post, illustrating the sophisticated nature of the attack.
Specifically, the malicious code was designed to encode and exfiltrate private deposit notes, effectively breaching the anonymity and security that Tornado Cash users depend on.
Proposed solution
In response to the crisis, Gas404 has proposed a solution to mitigate the damage: reverting Tornado Cash to a prior version of its IPFS deployment.
The move aims to secure the platform against the current vulnerability by utilizing a previously established and ostensibly secure infrastructure setup.
The proposed change emphasizes the urgency of addressing security flaws within decentralized platforms, where governance proposals can be manipulated for malicious purposes.
The Tornado Cash website and Discord channel were taken offline following the revelation and have yet to come back online — an indication of the exploit’s severity and the ongoing efforts to contain its repercussions.
Mentioned in this article
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
New spot margin trading pair — HOLO/USDT!
FUN drops by 32.34% within 24 hours as it faces a steep short-term downturn
- FUN plunged 32.34% in 24 hours to $0.008938, marking a 541.8% monthly loss amid prolonged bearish trends. - Technical breakdowns, elevated selling pressure, and forced liquidations highlight deteriorating market sentiment and risk-off behavior. - Analysts identify key support below $0.0080 as critical, with bearish momentum confirmed by RSI (<30) and MACD indicators. - A trend-following backtest strategy proposes short positions based on technical signals to capitalize on extended downward trajectories.
OPEN has dropped by 189.51% within 24 hours during a significant market pullback
- OPEN's price plummeted 189.51% in 24 hours to $0.8907, marking its largest intraday decline in history. - The token fell 3793.63% over 7 days, matching identical monthly and yearly declines, signaling severe bearish momentum. - Technical analysts cite broken support levels and lack of bullish catalysts as key drivers of the sustained sell-off. - Absence of stabilizing volume or reversal patterns leaves the market vulnerable to further downward pressure.
New spot margin trading pair — LINEA/USDT!
Trending news
MoreCrypto prices
More
