swirl.cash appears to violate Tornado.cash's GPL-3.0 license #75
Comments
|
Enforcing this is too much hassle, this project is unlikely to live more than a few weeks/months |
|
Yes but issuing an official statement would not take much effort at all, and it would be helpful to make it clear that this is not endorsed by Tornado cash. It could optionally caution that it does not currently live up to the same high standards of transparency / security, and that users should proceed with extreme caution. |
|
It will only give them more publicity |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
swirl.cash is claiming to be a Tornado fork on Binance Smart Chain, but their GitHub is missing many of the key components such as the ZK circuits. I asked on their Telegram when they are going to fully publish their source and they said "soon".
Whether they are a legit project or a scam still remains to be seen IMHO, but in the meantime AFAICS they are currently violating Tornado.cash's GPL-3.0 license. For example, compare https://github.com/SwirlCash/SWIRL/blob/master/contracts/MerkleTreeWithHistory.sol with https://github.com/tornadocash/tornado-core/blob/master/contracts/MerkleTreeWithHistory.sol and then observe that https://github.com/SwirlCash/SWIRL does not contain any proper copyright or licensing declarations.
To me it looks like they've initialised a fresh OpenZeppelin project, then copy-pasted in a few bits of Tornado's smart contracts and done a search and replace to change any mentions of Tornado to Swirl. It begs the question: if they are a legit project, why wouldn't they have already published the full forked code base on GitHub? I found similar levels of obfuscation in their frontend code.
In case anyone reads this and wants to make the counter-claim that Swirl has already been audited and/or is safe because liquidity / tokens are locked in Wault Finance:
The text was updated successfully, but these errors were encountered: