I'm less concerned for the encryption. In principle, Tor guarantees anonymity - my question is really, "How guaranteed is that anonymity, assuming Tor's implementation is correct?"
I concur that, if anyone has been able to break Tor, they haven't made use of it in any public way. You can only really do that once.
Put another way: Suppose I want to know who is sending messages to the New Yorker's strongbox, but I don't have physical access to their isolated system. Can I figure it out? How many Tor nodes would I need to compromise to have a ~5% shot at discovering interesting information about the sender?
I am not sure you can put down a real number, but the developers are in concert with power users, and they are well aware of when something is fishy and they patch quickly, specifically for the very well-known state actors that Tor irks (e.g., China and Iran). See one such recent example:
And yes, I know this supposes it is an obvious attack vector, and this is not really disastrous; they got blocked. I encourage you to read the Tor Project blog. They did, for example, an excellent writeup of how BEAST was not impacting them, and did a very detailed layman's article on how, even if their implementation did not pad TLS the way it did, would still not be exploitable with the BEAST exploit.
There are a lot of eyeballs, and all the usual cathedral and bazaar quotes will tell you I trust their implementations, despite its dubious origin with a Naval Postgraduate School thesis, than other systems that are not open source.
I concur that, if anyone has been able to break Tor, they haven't made use of it in any public way. You can only really do that once.
Put another way: Suppose I want to know who is sending messages to the New Yorker's strongbox, but I don't have physical access to their isolated system. Can I figure it out? How many Tor nodes would I need to compromise to have a ~5% shot at discovering interesting information about the sender?