Tornado Cash website, discord offline after community finds malicious code in protocol’s backend

Crypto mixer Tornado Cash has reportedly fallen victim to a significant backend exploit that has put user deposits and sensitive data at risk.

The security breach was revealed in a Medium post by Gas404, a community member, on Feb. 26.

The exploit represents a critical vulnerability for Tornado Cash, whose trading volume already suffered a dramatic decline following sanctions from the US Treasury Department’s Office of Foreign Asset Control (OFAC) in August 2022.

The sanctions, which were part of broader measures targeting the crypto sector, had significantly reduced the mixer’s operational scale even before the exploit.

Malicious code

According to the Medium post, malicious JavaScript code was discovered in the protocol’s backend. It was reported injected through a compromised governance proposal submitted by an individual posing as a Tornado Cash developer on Jan. 1.

The code surreptitiously redirects user deposit information to a server controlled by the attacker, posing a dual threat — the exposure of deposit data and the outright theft of the deposits themselves.

One such theft has been confirmed through transaction records on Etherscan, highlighting the exploit’s immediate impact.

The exploit’s technical details were discussed at length in the community post, illustrating the sophisticated nature of the attack.

Specifically, the malicious code was designed to encode and exfiltrate private deposit notes, effectively breaching the anonymity and security that Tornado Cash users depend on.

Proposed solution

In response to the crisis, Gas404 has proposed a solution to mitigate the damage: reverting Tornado Cash to a prior version of its IPFS deployment.

The move aims to secure the platform against the current vulnerability by utilizing a previously established and ostensibly secure infrastructure setup.

The proposed change emphasizes the urgency of addressing security flaws within decentralized platforms, where governance proposals can be manipulated for malicious purposes.

The Tornado Cash website and Discord channel were taken offline following the revelation and have yet to come back online — an indication of the exploit’s severity and the ongoing efforts to contain its repercussions.