A backdoor has been discovered in the Tornado Cash interface to intercept deposit data
According to representatives of the community, it has been functioning for two months now
Yu Xiang, the founder of the auditing blockchain company SlowMist, announced an exploit of the interface of the Tornado Cash cryptomixer included in the US sanctions list. So, according to anonymous blockchain developers referred to by Xiang, a backdoor capable of intercepting certificates of deposit has been operating in the IPFS version of the frontend of the service for two months.
According to Xiang, the malicious mechanism was introduced through voting as a result of an attack on the management mechanism of the decentralized autonomous organization (DAO) Tornado Cash. The funds of users who have made deposits to the mixer using IPFS over the past two months are at risk.
According to the community, malicious code was covertly embedded in a management proposal made two months ago by a developer under the nickname Butterfly Effects, and since January 1, Tornado Cash deposit records have been leaking to a private malicious server under his control. At least one case of theft of the mixer user's deposit in ETH coins has been identified.
