Tornado.Cash, already considered one of the most popular privacy tools on the Ethereum Network, has recently added even more amazing features. One of those features is on-chain backups which make managing your deposited funds both easier and safer.
In previous iterations, Tornado.Cash users had to manually backup and locally store their private notes in order to access their deposited tokens or Ether. However, as users began making more and more deposits, it became harder to track and manage them as well as identify spent and unspent notes.
This is why Tornado.Cash contributors have implemented on-chain encrypted backups of private notes…
Tornado.Cash has become the largest privacy solution on Ethereum today. Tornado.Cash has been fully autonomous and decentralized, but it’s static — it has no way to evolve. This is a proposal to change that. If this proposal is adopted, then the governance of Tornado.Cash will be entrusted to its users, and Tornado.Cash will be allowed to evolve under the stewardship of its community. This way, the users of Ethereum will control their own privacy protocol.
Here is how a proposal for how the Tornado.Cash governance system could work:
TORN is an ERC20-compatible token with a fixed supply that governs Tornado.Cash…
We are excited to announce that we have launched an open-source library that Ethereum developers can use to get the current gas price for their dApp. It automatically uses the Chainlink gas oracle as the default reference price when the off-chain APIs do not or cannot respond. It’s currently live and integrated into the Tornado Cash UI for calculating a user’s recommended gas fee.
Tornado.cash requires users to pay gas fees when making deposits, as well as for relayer services when making withdrawals. Currently, our UI relies on one of four off-chain API endpoints as gas price feeds for calculating…
Maintaining financial privacy is essential to preserving our financial freedom. However, it should not come at the cost of non-compliance.
We all remember the important event, of the blockchain history, that took place just a few months ago, when a user was blocked by one of the well-known centralized exchanges for trying to utilize a privacy solution. If you would like to read more about it, the full story can be found here.
That is why we decided to be ahead of the game and over the past few weeks implemented certain compliance-related tools including Tornado.cash Compliance Tool. If it…
We have some great news! As we promised from our previous report, we have set the operator address to
0x000000000000000000000000000000000000 on all instances (0.1 ETH, 1 ETH, 10 ETH, and 100 ETH), so that from now on, all tornado.cash contracts are immutable and unstoppable.
From now on, Tornado.cash is largely living by the precepts that code is law. The Tornado.cash smart contracts are running on Ethereum and the community has the decision on whether or not to use our tools.
We are happy to announce that our trusted setup ceremony is now complete.
With a record 1114 contributions this was by far the largest Trusted Setup Ceremony to date. By comparison, all other trusted setup ceremonies had less than 200 participants. Just as we hoped, everything went smoothly and we would like to thank the Ethereum Community for their support and participation.
Tornado.cash utilizes zk-SNARK technology to provide anonymity for withdrawals. The zk-SNARK requires a trusted setup which is a special procedure that generates the prover and verifier keys. In order to make sure that it is done in a secure way, no one is be able to fake proofs or steal user funds it should be done in a decentralized way. To fake zk proofs, an attacker must compromise every single participant of…
This is a full disclosure of the vulnerability that we published earlier
The potential leak was discovered two weeks ago and disabled immediately to prevent any future exposure.
The leak could only happen in a two step process. First, a user had to click “Share URL” button which created a URL that contained your private note information, like so: https://tornado.cash/?note=tornado-eth-0.1-1-0x60f495681bc7048021bbab1301c600c8ff16fbfd3f9ebff4bd01af7d4faec1e8526f5a3642adf72f008b6531fe9e4ca76a994a807cc41455735076f8c51e. After that, if the user opened the full URL in the browser the requests made from that page to the third-party services contained note data in the
Referer HTTP header. Therefore, if any of these services logged this header, they…
We have received a vulnerability report on our UI from @epheph. Only 12 users and a total of 13.2 eth were affected. If you made a deposit from one of the following addresses, you need to withdraw your note ASAP. You may immediately re-deposit it back as a new note since the bug has been fixed already.
Additionally, 86 deposits, that were already withdrawn, might have their privacy compromised. If you made a deposit from one of these addresses, please consider utilizing Tornado.cash again.
The exposure was limited to the 98 users who utilized the vulnerable UI feature. All other…
In the current implementation, we only attempt to solve the on-chain part of privacy. There is also network-level privacy that needs to be handled by users.