"Malicious Code in Tornado Cash Governance Proposal Puts User Funds at Risk"

For nearly two months, malicious JavaScript code hidden within a Tornado Cash governance proposal has been leaking deposit notes and data to a private server. Tornado Cash is a decentralized, open-source mixer on the Ethereum blockchain that ensures transaction privacy through non-custodial, trustless, and serverless anonymization. Governance proposals in Decentralized Autonomous Organizations (DAOs) such as Tornado Cash are important mechanisms for establishing strategic directions, presenting updates, and changing the core of technical protocols. Token holders submit them on the chain, and from there, they are discussed and voted on by the project's community. If accepted, the proposals are applied to the protocol. A security researcher named Gas404 discovered and reported the malicious code, calling on stakeholders to reject the malicious governance proposals. This article continues to discuss the discovery of malicious code in a Tornado Cash governance proposal. 

Bleeping Computer reports "Malicious Code in Tornado Cash Governance Proposal Puts User Funds at Risk"

Submitted by grigby1

Submitted by Gregory Rigby on