Security News > 2024 > February > Malicious code in Tornado Cash governance proposal puts user funds at risk
Malicious JavaScript code hidden in a Tornado Cash governance proposal has been leaking deposit notes and data to a private server for almost two months.
A security researcher using the nickname Gas404 discovered and reported the malicious code, urging stakeholders to veto the malicious governance proposals.
Governance proposals in decentralized autonomous organizations like Tornado Cash are fundamental mechanisms for setting strategic directions, introducing updates, and modifying the core of the technical protocols.
In the case of the Tornado Cash compromise, malicious JS code was introduced two months ago via a governance proposal from 'Butterfly Effects' - allegedly a community developer, and modified the protocol to leak deposit notes to the attacker's server.
Token holders with voting rights were advised to cancel their votes for proposal 47 to revert the protocol changes and remove the malicious code.
To mitigate the risk, Gas404 advises potentially exposed users to switch to a specific IPFS ContextHash deployment previously recommended and verified through Tornado Cash governance.