In the whitepaper https://tornado.cash/audits/TornadoCash_whitepaper_v1.4.pdf at definition (1) the very bottom of page 1, "...And O is the opening of H2(r||k)" should read "...And O is the opening of H1(r||k)", changing the MiMC hash H2 to the Pederson hash H1.
In addition the definition (1) of the statement of knowledge S[R, h, A, f, t] does not bind the symbols A, f, and t -- leaving them undefined. Later in the whitepaper, they can be inferred to mean address, fee, and relayer, but I don't think the actual proof circuits need these values. S[R, h] would be more succinct.
In the whitepaper https://tornado.cash/audits/TornadoCash_whitepaper_v1.4.pdf at definition (1) the very bottom of page 1, "...And O is the opening of H2(r||k)" should read "...And O is the opening of H1(r||k)", changing the MiMC hash H2 to the Pederson hash H1.
In addition the definition (1) of the statement of knowledge S[R, h, A, f, t] does not bind the symbols A, f, and t -- leaving them undefined. Later in the whitepaper, they can be inferred to mean address, fee, and relayer, but I don't think the actual proof circuits need these values. S[R, h] would be more succinct.