An article by community member Gas404 on Medium claims that malicious code has been inserted into the protocol’s back end, putting user deposits on token mixer Tornado Cash at risk. A two-month-old governance proposal submitted on January 1st by a claimed Tornado Cash engineer contained malicious JavaScript code, as explained in the post.The accused developer’s public server is the destination of deposit data that is redirected by the code.In addition to allowing for deposit theft, the exploit’s primary purpose is to reveal Tornado Cash deposit information.Gas404 claims that out of the batch visible on etherscan, one deposit was taken.
Following Tornado Cash’s sanction by the Office of Foreign Asset Control (OFAC) of the U.S. Treasury Department in August 2022, trade volume plummeted by over 90%.According to Gas404, Tornado Cash ought to go back to the IPFS ContextHash deployment from an earlier iteration of TornadoCash.