Zcash has been vulnerable to a counterfeiting bug since its launch
That Zcash was never attacked is a testament to how obscure this problem was.
Thanks to an obscure and ultra-specific vulnerability, it's been possible to print an unlimited amount of Zcash all along. This vulnerability extended to Horizen, Komodo and others, but has now been fixed.
The bug was discovered on 1 March 2018 and fixed with the Sapling update on 28 October. During that time, only four people knew of its existence. From October to now, it was selectively disclosed.
Full public disclosure of the bug came on 5 February 2019, and now the whole world knows.
The vulnerability was discovered by Ariel Gabizon, a Zcash cryptographer at the time, on 1 March 2018, the night before his presentation at the Financial Cryptography 2018 conference. He then met in person with Sean Bowe, also a Zcash cryptographer at the conference, who confirmed it. They then told Zcash leader Zooko Wilcox of the issue, who informed Zcash CTO Nathan Wilcox.
The bug took the form of a cryptographic error, which quite a few expert eyes skipped over before Gabizon caught it. And one of the reasons no one caught it sooner is because it looked like this:
What the heck am I looking at?
Zcash's privacy system basically works by blending up a bunch of numbers into a smoothie. These smoothies are transactions. You can't tell which numbers went into it just by looking (transactions are private), but the blockchain can still taste the smoothie to confirm whether it has all the right ingredients (miners can still verify transactions).
What you're looking at here is a set of instructions that tells the blockchain what kinds of flavours it should be able to taste in this number smoothie. If it tastes any flavours that aren't on the list, it freaks out, assumes someone's poisoned the smoothie and vomits up that toxic transaction.
The mistake is that some unnecessary extra flavours were included on the "not poison" list as a holdover from earlier versions.
This is dangerous because it lets someone make fake smoothies, flavour them in just the right way, and then feed them to the blockchain. Ordinarily, it would taste completely wrong and be rejected by the blockchain, but with the help of this mistake, they could pass the taste test.
The next challenge for an attacker would have been to actually get the right ingredients and create those flavours. To do this, an attacker would have needed to access the complete Zcash smoothie recipe book, pushing this analogy to breaking point in the process.
The complete recipe book is the Zcash MPC Ceremony Transcript. It was publicly available when the vulnerability was discovered, but it was taken offline when the bug was discovered to prevent anyone from accessing it.
To help allay suspicion, the Zcash team explained its removal with a cover story along the lines of "It's gone? That's weird. Must be some random hosting issue."
Two suggestions were floated when the vulnerability was discovered. The first was an emergency update, while the second was a slower, more careful and more subtle update.
The team opted for the latter on the following grounds:
- There are few people in the world with the ability to spot that error and most of them probably have better things to do.
- An attacker would need the MPC ceremony transcript to carry out an attack, but the Zcash team had already taken it offline and would later destroy it entirely. There were unlikely to be any backups floating around, so to get the transcript, an attacker would need to individually reach out to ceremony participants for their footage of the event and then piece it together. This is how it was later reconstructed.
- There were other cryptocurrencies and projects with the same vulnerability. Blaring an emergency update would risk exposing their vulnerabilities too.
It proved to be a good choice. Zcash was patched up with the Sapling update in October, at which point Horizen and Komodo were individually informed. The entire thing was so cloak and dagger that even Zcash's director of product security didn't know about the vulnerability until after it was fixed.
And mirroring the paradox of privacy cryptocurrencies on public blockchains, the Zcash team has simultaneously been completely secretive and entirely transparent about this issue.
Disclosure: At the time of writing, the author holds ETH.