The development team behind privacy coin Zcash has revealed a loophole discovered in its code which could have led loss of millions if exploited. Zcash published a blog post on its website where it narrated how it managed the bug since it was first identified eleven months ago.
Details of the ZCash Vulnerability
According to the blog post, Zcash noted that the vulnerability was discovered on March 1 by Ariel Gabizon a cryptography staff of Zerocoin Electric Coin Company (or The Zcash Company) responsible for developments on the network. Due to security reasons, the company kept the information closely guarded until October 28th, 2018 when it was remediated during a Sapling network upgrade.
The bug, Zcash said, could allow an attacker to create fake Zcash without being detected. It explained that the flaw was so subtle that it was not detected by high-level audits by expert cryptographers, scientists, third-party auditors, and third-party engineering teams who used the Zcash code. This is one of the reason it believes the flaw was not discovered or exploited by anyone else.
User Privacy couldn’t have been compromised
The major attraction to anonymity coins like Zcash, Moreno or Dash is that they hide the identity of users and details of transactions on the network. Zcash uses a cryptographic technology known as zk-SNARKS (based on zero-knowledge proofs) to achieve this. Even if the flaw was exploited, it wouldn’t have compromised the anonymity of transactions hidden through Z-addresses. “The vulnerability was specific to counterfeiting and its exploitation would not have impacted privacy,” the statement noted.
Although Zcash did not explain why it waited till now to inform the community, given that the flaw was fixed last October, it did say that it reached out to at least two projects using the Zcash source code with the remediation code. It warned that projects depending on the MPC ceremony used by the original sprout system that was distributed in the initial launch of Zcash could still be vulnerable.
Mixed Responses To The News of Vulnerability
Cryptocurrency followers are all too aware of the dangers posed by a flaw like that revealed by Zcash. However, the community seems divided over the matter, a section commending Zcash for addressing the bug internally before it was exploiting while others cast doubt at the security of the network.
Peter Todd, an applied cryptography consultant was critical of the Zcash project in his response. He wrote on Twitter:
“Reality is bleeding edge crypto is risky; second inflation bug they’ve had…Had this been exploited, it could have easily been a hundreds of millions of dollars loss.”
On the other hand, Edward Snowden a privacy advocate and popular whistleblower reiterated his support for Zcash despite the bug issue.
“A lot of people wonder why I like #Zcash despite the Founder’s Reward. Here’s a reason: that tax funds a quality team that catches and kills serious bugs in-house, before they get exploited. Some other projects learn about bugs like this only AFTER people have lost money.”