Zcash vulnerability could have resulted in the loss of millions of dollars

Zcash, a leading privacy cryptocurrency in the market, recently announced that they had found counterfeiting vulnerability in the “cryptography underlying some kinds of zero-knowledge proofs”. Interestingly, this vulnerability was detected by the Zcash company in March 2018, around eleven months back. This was later fixed in October 2018 during the Sapling Network upgrade.

The details of the vulnerability was not disclosed earlier because the Zcash company did not want the attackers to exploit it. Notably, in an attempt to prevent an attack from happening, three members from the Zcash community including Zooko Wilcox, the CEO of the Zcash Company, decided to delete the MCP protocol transcript, “which would allow an adversary to create false proofs” from all the platforms it would have been available to the community. It was deleted “under a coinciding operational security cover story.” Soon after this, the team decided to delete all the back-up there was of the transcript as well. The team further claimed that this transcript was hardly downloaded.

According to the official announcement, the vulnerability did not have any effect on users’ privacy and was limited only to counterfeiting. This means that an attacker could have only been able to create fake Zcash. The attacker also had an opportunity to pull this off successfully without being detected. More so, the team also revealed in the report that the counterfeit vulnerability was present in the Zcash code for several years, prior to its detection.

Despite its severity, the team claims that the vulnerability has not been previously exploited and also laid down reasons as to why it would have not been discovered by anyone in the space. The reasons laid down by the company as to why they are confident that the vulnerability was not discovered are:

  • Required high-level of technical and cryptographic sophistication to detect the vulnerability and according to them, only a very few people possess such high-level skills
  • It managed to go undetected for several years by auditors, cryptographers, scientists, and even engineering teams who launched new projects based on Zcash code
  • The team has not yet found any evidence pertaining to the exploitation of the vulnerability. They added that if it had occurred, it would have been detected by monitoring the total amount of Zcash held in sprout addresses
  • The company took “extraordinary” steps to minimize the possibility of an attack
  • Based on their study on the blockchain, an attack would have left a footprint and the team did not find any

However, the company did add that even though Zcash itself is in safe haven right now, there are projects that can be affected by this. This can be any project that is dependant on the “MPC ceremony used by the original sprout system that was distributed in the initial launch of Zcash.” Furthermore, the company also revealed that this was disclosed to third-party projects: Horizen [aka ZenCash] and Komodo.

The announcement read:

“We believe that the steps we have taken to mitigate the issue while working to ensure the safety of Zcash users has been successful. More information on the specific events that transpired from the initial discovery of the counterfeiting vulnerability through this disclosure will be covered in a future post.”

Peter Todd, an applied cryptography consultant said on Twitter:

“Reality is bleeding edge crypto is risky; second inflation bug they’ve had. (first being caught prior to release) BTC has categorically worse privacy than ZEC on L1, but the trade-off is a safer system re: total loss. Had this been exploited, it could have easily been a hundreds of millions of dollars loss.”

He further said:

“Zcash has gotta be the least honest competent team in crypto. Also, their story that the transcript was hardly downloaded shows how right my criticisms of the lack of auditing was: basically no one had actually checked that the ceremony was correct which they refuted multiple times. For instance the “deterministic” build broke ~1mth after.”

Be the first to comment

Leave a Reply

Your email address will not be published.