The exploit poses a threat by allowing unauthorized access to deposit information and funds stored within the Tornado Cash platform.
Reports indicate that both the deposited funds and associated data within Tornado Cash are vulnerable to this exploit.
A suggestion has been put forth to return to an earlier iteration of the protocol’s IPFS deployment as a precautionary measure.
According to a Medium article authored by Gas404, users’ deposits within the token mixer Tornado Cash are facing potential jeopardy due to the infiltration of malicious code into the protocol’s backend.
The article elaborates that the malicious JavaScript code was surreptitiously inserted into a governance proposal, which was submitted approximately two months ago by an individual claiming to be a Tornado Cash developer on January 1st.
This code diverts deposit data to a public server maintained by the purported developer.
The primary objective of this exploit is to expose Tornado Cash deposit data, while an additional functionality enables the direct theft of deposits.
Gas404 further reveals that at least one deposit has been pilfered from this group, as evidenced by records on etherscan.
Following the imposition of sanctions by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in August 2022, trading activity on Tornado Cash witnessed a drastic decline, plummeting by over 90%.
Gas404’s recommendation entails a reversion to a previous IPFS ContextHash deployment utilized in an earlier version of Tornado Cash as a proactive measure.