"Malicious Code in Tornado Cash Governance Proposal Puts User Funds at Risk"
For nearly two months, malicious JavaScript code hidden within a Tornado Cash governance proposal has been leaking deposit notes and data to a private server. Tornado Cash is a decentralized, open-source mixer on the Ethereum blockchain that ensures transaction privacy through non-custodial, trustless, and serverless anonymization. Governance proposals in Decentralized Autonomous Organizations (DAOs) such as Tornado Cash are important mechanisms for establishing strategic directions, presenting updates, and changing the core of technical protocols. Token holders submit them on the chain, and from there, they are discussed and voted on by the project's community. If accepted, the proposals are applied to the protocol. A security researcher named Gas404 discovered and reported the malicious code, calling on stakeholders to reject the malicious governance proposals. This article continues to discuss the discovery of malicious code in a Tornado Cash governance proposal.
Submitted by grigby1