tornadocash / tornado-core

Tornado cash. Non-custodial private transactions on Ethereum.
https://tornado.cash
GNU General Public License v3.0
1.48k stars 554 forks source link

swirl.cash appears to violate Tornado.cash's GPL-3.0 license #75

Open aspiers opened 3 years ago

aspiers commented 3 years ago

swirl.cash is claiming to be a Tornado fork on Binance Smart Chain, but their GitHub is missing many of the key components such as the ZK circuits. I asked on their Telegram when they are going to fully publish their source and they said "soon".

Whether they are a legit project or a scam still remains to be seen IMHO, but in the meantime AFAICS they are currently violating Tornado.cash's GPL-3.0 license. For example, compare https://github.com/SwirlCash/SWIRL/blob/master/contracts/MerkleTreeWithHistory.sol with https://github.com/tornadocash/tornado-core/blob/master/contracts/MerkleTreeWithHistory.sol and then observe that https://github.com/SwirlCash/SWIRL does not contain any proper copyright or licensing declarations.

To me it looks like they've initialised a fresh OpenZeppelin project, then copy-pasted in a few bits of Tornado's smart contracts and done a search and replace to change any mentions of Tornado to Swirl. It begs the question: if they are a legit project, why wouldn't they have already published the full forked code base on GitHub? I found similar levels of obfuscation in their frontend code.

In case anyone reads this and wants to make the counter-claim that Swirl has already been audited and/or is safe because liquidity / tokens are locked in Wault Finance:

  1. That misses the main point of this GitHub issue, which is the apparent GPL-3.0 violation.
  2. You are probably confusing the security of the tokens locked in Wault with the security of the BNB in the anonymity sets.
poma commented 3 years ago

Enforcing this is too much hassle, this project is unlikely to live more than a few weeks/months

aspiers commented 3 years ago

Yes but issuing an official statement would not take much effort at all, and it would be helpful to make it clear that this is not endorsed by Tornado cash. It could optionally caution that it does not currently live up to the same high standards of transparency / security, and that users should proceed with extreme caution.

poma commented 3 years ago

It will only give them more publicity