We have received a vulnerability report on our UI from @epheph. Only 12 users and a total of 13.2 eth were affected. If you made a deposit from one of the following addresses, you need to withdraw your note ASAP. You may immediately re-deposit it back as a new note since the bug has been fixed already.

Additionally, 86 deposits, that were already withdrawn, might have their privacy compromised. If you made a deposit from one of these addresses, please consider utilizing Tornado.cash again.

The exposure was limited to the 98 users who utilized the vulnerable UI feature. All other deposits remain secure. The bug has been fixed and all future deposits will be unaffected by it. Since the issue was only on the UI side, smart contracts remained safe. We are letting you know out of abundance of caution, since this particular bug might only be exploited by a very limited set of services used by our UI such as github, medium, etherscan, infura.

The full disclosure with the details about the bug will be published in 2 weeks on Feb 14, 2020.

Thank you Ethereum Foundation for providing pro bono security audits

Great work by @epheph