TLDR: Brave sends referral header for crypto websites, they introduced Tor browsing inside the browser but that header was still being sent inside a Tor session along with the file created in config that keeps track of it. He reported, was assigned a CVE and brave fixed it.

Write up by the person who reported it https://community.disclose.io/t/how-i-found-a-tor-vulnerability-in-brave-browser-reported-it-watched-it-get-patched-got-a-cve-cve-2020-8276-and-a-small-bounty-all-in-one-working-day/65

(I don’t think Tor on Brave is ready it’s best to not use that feature at the moment; since they have a number of issues in GitHub to improve anonymity and stop leakage etc.)