swirl.cash appears to violate Tornado.cash's GPL-3.0 license #75
Description
swirl.cash is claiming to be a Tornado fork on Binance Smart Chain, but their GitHub is missing many of the key components such as the ZK circuits. I asked on their Telegram when they are going to fully publish their source and they said "soon".
Whether they are a legit project or a scam still remains to be seen IMHO, but in the meantime AFAICS they are currently violating Tornado.cash's GPL-3.0 license. For example, compare https://github.com/SwirlCash/SWIRL/blob/master/contracts/MerkleTreeWithHistory.sol with https://github.com/tornadocash/tornado-core/blob/master/contracts/MerkleTreeWithHistory.sol and then observe that https://github.com/SwirlCash/SWIRL does not contain any proper copyright or licensing declarations.
To me it looks like they've initialised a fresh OpenZeppelin project, then copy-pasted in a few bits of Tornado's smart contracts and done a search and replace to change any mentions of Tornado to Swirl. It begs the question: if they are a legit project, why wouldn't they have already published the full forked code base on GitHub? I found similar levels of obfuscation in their frontend code.
In case anyone reads this and wants to make the counter-claim that Swirl has already been audited and/or is safe because liquidity / tokens are locked in Wault Finance:
- That misses the main point of this GitHub issue, which is the apparent GPL-3.0 violation.
- You are probably confusing the security of the tokens locked in Wault with the security of the BNB in the anonymity sets.