Advix Blog

How can AI prevent troubles? The Aftermath of Tornado Cash

Cybersecurity Technology
Recently, a new problem with Tornado Cash came up – this time, it's about bad code that might have stolen money from people using a backdoored UI version to put money into Tornado Cash. We're still not sure how much money was lost.

Hidden Threats

Tornado Cash is a DAO, which means people vote on changes to how it works.

On December 23, 2023, another proposal was put forward (https://forum.tornado.ws/t/proposal-44-force-withdrawals-via-relayers/299).

The essence of the proposal is to simply update the UI and its decentralized source:
Proposal to Tornado Cash text
Tornado's user interface is stored on IPFS (InterPlanetary File System), and this proposal suggests updating the links to it.
The essence of the proposal
The hashes at the end are the new links. They can't be accessed without a separate IPFS client, and this is the first obstacle to automating the analysis of changes.

This address stores the modified JS code of Tornado's frontend, and among others, it contains this file: https://cloudflare-ipfs.com/ipfs/bafybeiahmpy4e3p4ao2sqqxc2kb4htwl3oklsjncz2are6vnljecmdgmou/_nuxt/3ec552e.js

The file is obfuscated, making it hard to analyze by a human eye, but if we ask ChatGPT to search for a backdoor within it, voilà.
Issues identified by ChatGPT
This is the backdoor that later activated and caused significant losses to clients.

How to catch such issues?

Feeding all the code into AI is not yet feasible, so it's necessary to implement secure development practices.

The SAMM model can be taken as a foundation: https://owaspsamm.org/model/

In particular, conducting a Threat Assessment can help identify the most vulnerable spots and then implement a Change Management process with mandatory approvals for changes. An AI assistant can help summarize the essence of the changes.

At Advix, we know a lot about keeping digital stuff safe, including in the world of crypto. If you need help or advice, get in touch with us at sales@advix.com. Let us help keep your digital world safe.