Deposits made to Tornado Cash using IPFS gateways through IPFS gateways like – ipfs.io, cf-ipfs.com, and eth.link – may have been compromised, potentially exposing users’ deposited funds to risk, according to pseudonymous Tornado Cash developer ‘Gas404.’

Affected users were advised to take immediate action to safeguard their deposits.

User Deposits Vulnerable

According to a blog post by Gas404, the community made a startling discovery about the presence of malicious JavaScript code, which was hidden within a governance proposal submitted by an alleged Tornado Cash developer known as Butterfly Effects.

This hidden code is speculated to have been leaking deposit notes to a private server controlled by the developer since January 1st.

Notably, the risk seems to be limited to IPFS deployments of Tornado Cash, as Gas404 mentioned that changes to the minified source code could easily be audited on local interfaces.

To mitigate the potential damage, the post recommended holders of Tornado Cash’s native token, TORN, vote for a veto on the two questionable proposals previously deployed by the exploiter.

“This would only count to the IPFS deployments of Tornado Cash since the minified source has become a hidden trap for a scammer and thus people who have interacted with the contract using local interfaces would be considered as safe since changes on commits could be audited easily.”

The Fall of Tornado Cash

Tornado Cash is one of the most popular crypto mixers in the world. In a major blow, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash in August 2022, prohibiting individuals, residents, and entities within the United States from engaging in financial transactions through the platform.

The Treasury Department alleged that the crypto mixer facilitated the laundering of over $7 billion in digital currencies, including $455 million believed to have been pilfered in 2022 by the Lazarus Group, a notorious entity linked to the North Korean government.

Subsequently, the project’s domain was seized, and GitHub removed the Tornado Cash repository while suspending the developers’ accounts, leading to an outcry from privacy advocates. The Microsoft-owned platform later unbanned the coin mixer and contributors.

Last May, an attacker employed a deceptive proposal to wrest control of Tornado Cash’s Decentralized Autonomous Organization (DAO). The proposal contained a hidden code that granted the hacker ownership of fraudulent voting tokens upon the DAO’s approval.

Following a successful vote, the hacker amassed enough voting power to manipulate future proposals. By the end of the month, the hacker had seemingly relinquished control, having converted a portion of the stolen governance tokens valued at approximately $900,000 into Ether, which were then laundered through the Tornado Cash service.

Further complicating matters, two additional Tornado developers, Roman Storm and Roman Semenov, faced charges related to their alleged involvement in facilitating money laundering, totaling $1 billion. Roman Storm was subsequently apprehended in Washington State and pleaded ‘not guilty’ to the charges against him.