BittyWhale

so four days ago a new proposal for Tornado Cash was accepted, which means an update to the UI version (tornadocash[.]eth[.]limo and some other domains). I haven't seen anyone doing a dee-dive on the diff yet so I have spent several hours carefully reviewing the changes, including a detailed check of each dep update reflected in the new `yarn.lock` file. I documented my findings in a gist (see comment section). tbh I would greatly appreciate additional review from others as I can always miss something but based on my analysis so far, the changes appear legitimate & I have found _no evidence_ suggesting a supply chain attack, despite some concerns raised by some.