Checkmarx: Tornado Cash Theft Uncovered: Malicious Code Drains Funds for Months
February 2024 by Yehuda Gelb, Security Researcher at Checkmarx
Yehuda Gelb, security researcher at
Checkmarx, that highlights the persistent challenges in ensuring safety
and trust in decentralized financial platforms.
The Tornado Cash open source project was recently compromised with
malicious JavaScript code inserted by a developer, impacting users who
made transactions via the platform since Jan 1st.
This compromise, discovered by Security researcher Gas404, brings to
light serious concerns about the safety of such platforms and
trustworthiness of developers.
Checkmarx advises:
- That we cannot assume open-source projects are immune from
malicious activities, noting how attackers can leverage supply chain
attacks to compromise networks.
- The importance of thorough security audits, vetting of code
and contributions, even from seemingly trustworthy sources, and the need
to protect against supply chain vulnerabilities.
- A user reminder to be vigilant about the platforms they use
and to understand the associated risks.
Please feel free to use/reference the Checkmarx piece for any pieces you
may be writing around this topic. Do let us know if you have any
questions.