Malicious Code in Tornado Cash’s Governance Proposal Poses Risks 

  • A malicious javascript code identified in Tornado Cash’s governance proposal poses a potential threat.
  • The proposal was introduced by Tornado Cash community developer Butterfly Effects two months ago.
  • While the vulnerability is identified in the IPFS version, the hacker could be easily tracked.

Recent reports highlighted a malicious javascript code present in the two-month-old governance proposal introduced by the Tornado Cash community developer Butterfly Effects. According to the findings, the funds deposited since January 1, 2024, are at risk, posing a potential exploit.

Chinese crypto reporter Colin Wu shared an X post on his official page known as Wu Blockchain, providing insights on the vulnerability identified in the malicious proposal. According to his post, the governance proposal might have resulted in the leakage of the deposit notes of Tornado Cash to a private malicious server owned by the alleged developer since January 1.

Notably, the vulnerability is identified in the IPFS version of Tornado Cash. While Tornado Cash is a decentralized privacy solution for crypto transactions maintaining anonymity, the IPFS version is resistant to censorship and surveillance. Thus, the malicious code has become a “hidden trap” for the scammer, as the version would easily track them.

According to the SlowMist Founder Yu Xian, the malicious code in the IPFS version of Tornado Cash allows for the hijacking of deposit certificates. Though there are hints for some funds to be stolen since the approval of the proposal, it is unclear how many users are affected.

The community urges users to change their notes using the recommended IPFS ContextHash deployment which was previously used for tornadocash.eth. In addition, the community asked the users to vote to veto the previously deployed proposals to restrict any possible malicious exploit hidden on the proposal contract.

Last year, a hacker stole more than $1 million through a malicious governance proposal. Allegedly granting 1.2 million votes to the malevolent proposal, they gained control over Tornado Cash’s decentralized finance (DeFi) protocol, leading to the embezzlement of funds. 

Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.

Comments

Post a Comment

Popular posts from this blog

FTX seeks $175M settlement with Genesis entities to resolve dispute

However, FTX creditors express discontent and urge the Official Committee of Unsecured Creditors of FTX (UCC) to contest the agreement. FTX, the troubled cryptocurrency exchange, and its CEO John J. Ray III have filed a motion seeking to reach a settlement of $176 million with Genesis entities.  As per a legal document, FTX Trading and related debtors have formally requested a court mandate to resolve their disagreement with Genesis entities , aiming to settle claims amounting to nearly $176 million. The claims put forth by Genesis entities involve around $176 million in customer claims against FTX Trading and its affiliates. However, FTX creditors expressed discontent and have urged the Official Committee of Unsecured Creditors of FTX (UCC) to contest the agreement. They point to Alameda's transfer of significant FTX customer funds to Genesis in 2022 as a concern. FTX asks court to settle Genesis dispute for a $175 million Genesis claim, the release of a $175 million customer
Read more

JPMorgan debuts tokenization platform TCN with BlackRock among key clients: Report

The platform enables the conversion of traditional assets into digital assets and makes way for faster and more secure settlements on-chain. American banking giant JP Morgan debuted its in-house blockchain collateralization platform called Tokenized Collateral Network (TCN) on Oct. 11, reported Bloomberg. TCN settled its first trade for asset management giant BlackRock. Tokenized Collateral Network is an application that allow investors to utilize assets as collateral. Using blockchain technology they can transfer collateral ownership without moving assets in underlying ledgers. The TCN network in its first public collateralized trade between JP Morgan and BlackRock turned shares of one money market fund into digital tokens, which were then transferred to Barclays Plc as security for an over-the-counter derivatives exchange between the two companies. The first internal test of TCN was conducted by JPMorgan in May 2022 and has a pipeline of other clients and transactions now that T
Read more

OpenSea ex-manager retracts bail request amid ongoing appeal

Nathaniel Chastain, a former product manager at NFT marketplace OpenSea, has opted to begin his three-month prison term for insider trading. On Sept. 6, the legal representatives of Nathaniel Chastain submitted a letter to a New York District Court, notifying the judge that Chastain has chosen to retract his bail application while the appeal is ongoing . As per the court’s earlier verdict, he will willingly surrender himself by Nov. 2 to start serving his sentence while the appeal is being reviewed. Earlier in May, Chastain was convicted of wire fraud and money laundering, marking the first insider trading case in the NFT sector. The former OpenSea executive was charged with exploiting confidential data to earn substantial profits by purchasing NFTs shortly before they were featured on OpenSea’s homepage, where their value would surge instantly. Chastain allegedly capitalized on this inside information, selling the NFTs at a higher price once their value escalated, breaching
Read more