Vulnerability disclosure

This is a full disclosure of the vulnerability that we published earlier

The potential leak was discovered two weeks ago and disabled immediately to prevent any future exposure.

The leak could only happen in a two step process. First, a user had to click “Share URL” button which created a URL that contained your private note information, like so: https://tornado.cash/?note=tornado-eth-0.1-1-0x60f495681bc7048021bbab1301c600c8ff16fbfd3f9ebff4bd01af7d4faec1e8526f5a3642adf72f008b6531fe9e4ca76a994a807cc41455735076f8c51e. After that, if the user opened the full URL in the browser the requests made from that page to the third-party services contained note data in the Referer HTTP header. Therefore, if any of these services logged this header, they could have access to the note data. That meant a possibility of funds withdrawal from unspent notes and exposure of a connection between deposits and withdrawals for the spent notes.

Here’s a list of the third-party services that are utilized by Tornado.cash UI:

• https://github.com
• https://twitter.com
• https://t.me
• https://medium.com
• https://www.torproject.org
• https://ip.tornado.cash
• https://etherscan.io
• https://mainnet.infura.io
• https://www.etherchain.org
• https://gasprice.poa.network
• https://fonts.googleapis.com
• https://mainnet.torelay.eth
• https://mainnet.sender.eth
• https://mainnet.frelay.eth
• https://mainnet.poanet.eth
• Custom Relayers (user-entered)

One of those services was our own ip.tornado.cash server. Using its logs we were able to recreate the list of notes that got exposed. There were 98 notes in total, 12 of which were unspent. At the moment of publishing this post, there are only 7 unspent notes left totaling 2.5 ETH.

We would like to reiterate, that all other users, who never completed BOTH steps, were unaffected. Luckily, this exposure was limited, discovered early and no one reported funds lost.