OFAC Unshackles Tornado Cash—But Security Hawks Warn: Frontend Remains a Minefield

Blockchain forensic experts and crypto proponents highlight a February 2024 episode in which adversaries allegedly injected malicious Javascript scripts into Tornado Cash’s governance proposal infrastructure.

This intrusion—which leveraged decentralized storage gateways to siphon user assets—exposes a pressing weakness, eroding confidence in the platform’s defenses despite its revived legal standing.

Last year’s warning from the Tornado Cash Developers X account (now deleted).

This development trails OFAC’s Friday announcement removing economic restrictions against Tornado Cash. The U.S. agency disclosed a formal communication confirming the platform’s removal from its sanctions registry.

While pledging ongoing scrutiny of transactional activity, the Treasury simultaneously released an expansive registry of previously blacklisted entities, including Tornado Cash and an array of associated cryptocurrency wallets.

“For those who will start using Tornado again remember that the main frontend is still compromised,” onchain detective ZachXBT cautioned hours after OFAC removed the Ethereum-based mixing service from its sanctions roster.

Observers highlighted Tornado Cash’s open-source architecture, suggesting users could independently deploy its front-end interface, while some proponents distributed hardened IPFS hashes to sidestep vulnerabilities.

Nevertheless, a chorus of experts urged vigilance, framing engagement with the protocol as a potential forfeiture risk of digital holdings should its lingering vulnerabilities materialize.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。