**TL;DR** Today, we the (tornado.cash team), successfully exploited the tornado.cash smart contract. Users’ funds are safe all deposits have been migrated from the vulnerable contract to the fixed version, so you can keep using tornado.cash as usual.
The bug was found by Kobi Gurkan in the zk-SNARK implementation of the MIMC hash function in circomlib, that is used in Tornado for building the merkle tree of deposits. If everything works as expected, users prove that they have committed a leaf to that tree during deposit without revealing the commitment itself. The buggy version did not check that resulting MIMC hash is correct. The fix is simple: instead of using the `=` operator the `<==` operator should be used.
From an attacker point of view it is an opportunity to fake the merkle root in the witness, calculate the proof, and withdraw the 0.1 ETH from the Tornado.cash smart contract without having a valid deposit. So we had to generate 100 valid proofs for fake deposits and drain the contract before anyone else does.
Later, we will release a step by step guide how to use this exploit to educate interested security professionals.
Migrating state to a new version
Since we had to act fast, we have implemented a temporary version of tornado smart contract that allows our team to upload the state from previous contract (history of deposits and withdrawals).
We also turned off depositing for the old version at the smart contract level. Since we drained the old contract, no one can now make a withdrawal from there. If you had a deposit in the old contract, you should be able to withdraw your funds at the new contract.
The temporary contract is upgradable using the proxy delegate pattern. Upon the completion of the Tornado Cash team’s pending audit, the contracts will be upgraded to remove the ability for the Tornado Cash team to control the contracts state and upgradability permissions will be revoked. The Tornado Cash contract will be in an immutable state in no later than two months from the release of this disclosure.
This vulnerability has been successfully mitigated and all funds have been migrated to the new Tornado Cash contract where they are available for withdrawal. Anonymity has been 100% preserved throughout the process. The vulnerability was found in the MIMC library, a dependency of the Tornado Cash contract. We are currently not aware of any other smart contracts that are compromised because of this vulnerability but smart contracts that use this library should ensure they are using the patched version.
Important note. The anonymity was not broken after this hack, it’s still equal to original tornado anonymity.
Important note #2. While we still have pending audit, we decided to use upgradable contract proxy temporarily, so that we can keep iterating until the final version. The final release version will not be upgradable. We plan to release it no later than in 2 months.
Special thank you to Kobi Gurkan, Barry Whitehat and Chris Whinfrey who helped tornado.cash team to work through this issue.