Tornado.cash vulnerability alert

Tornado Cash
Feb 1 · 1 min read

We have received a vulnerability report on our UI from @epheph. Only 12 users and a total of 13.2 eth were affected. If you made a deposit from one of the following addresses, you need to withdraw your note ASAP. You may immediately re-deposit it back as a new note since the bug has been fixed already.

Additionally, 86 deposits, that were already withdrawn, might have their privacy compromised. If you made a deposit from one of these addresses, please consider utilizing Tornado.cash again.

The exposure was limited to the 98 users who utilized the vulnerable UI feature. All other deposits remain secure. The bug has been fixed and all future deposits will be unaffected by it. Since the issue was only on the UI side, smart contracts remained safe. We are letting you know out of abundance of caution, since this particular bug might only be exploited by a very limited set of services used by our UI such as github, medium, etherscan, infura.

The full disclosure with the details about the bug will be published in 2 weeks on Feb 14, 2020.

Thank you Ethereum Foundation for providing pro bono security audits
Great work by @epheph

Tornado Cash

Written by

Non-custodial private transactions on Ethereum. tornado.cash

More From Medium

Related reads

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade