LIVE NOW

Zcash has been vulnerable to a counterfeiting bug since its launch

Andrew Munro 6 February 2019 NEWS

That Zcash was never attacked is a testament to how obscure this problem was.

Thanks to an obscure and ultra-specific vulnerability, it's been possible to print an unlimited amount of Zcash all along. This vulnerability extended to Horizen, Komodo and others, but has now been fixed.

The bug was discovered on 1 March 2018 and fixed with the Sapling update on 28 October. During that time, only four people knew of its existence. From October to now, it was selectively disclosed.

Full public disclosure of the bug came on 5 February 2019, and now the whole world knows.



Unlimited money

The vulnerability was discovered by Ariel Gabizon, a Zcash cryptographer at the time, on 1 March 2018, the night before his presentation at the Financial Cryptography 2018 conference. He then met in person with Sean Bowe, also a Zcash cryptographer at the conference, who confirmed it. They then told Zcash leader Zooko Wilcox of the issue, who informed Zcash CTO Nathan Wilcox.

The bug took the form of a cryptographic error, which quite a few expert eyes skipped over before Gabizon caught it. And one of the reasons no one caught it sooner is because it looked like this:

What the heck am I looking at?

Zcash's privacy system basically works by blending up a bunch of numbers into a smoothie. These smoothies are transactions. You can't tell which numbers went into it just by looking (transactions are private), but the blockchain can still taste the smoothie to confirm whether it has all the right ingredients (miners can still verify transactions).

What you're looking at here is a set of instructions that tells the blockchain what kinds of flavours it should be able to taste in this number smoothie. If it tastes any flavours that aren't on the list, it freaks out, assumes someone's poisoned the smoothie and vomits up that toxic transaction.

The mistake is that some unnecessary extra flavours were included on the "not poison" list as a holdover from earlier versions.

This is dangerous because it lets someone make fake smoothies, flavour them in just the right way, and then feed them to the blockchain. Ordinarily, it would taste completely wrong and be rejected by the blockchain, but with the help of this mistake, they could pass the taste test.

The next challenge for an attacker would have been to actually get the right ingredients and create those flavours. To do this, an attacker would have needed to access the complete Zcash smoothie recipe book, pushing this analogy to breaking point in the process.

The complete recipe book is the Zcash MPC Ceremony Transcript. It was publicly available when the vulnerability was discovered, but it was taken offline when the bug was discovered to prevent anyone from accessing it.

To help allay suspicion, the Zcash team explained its removal with a cover story along the lines of "It's gone? That's weird. Must be some random hosting issue."

The solution

Two suggestions were floated when the vulnerability was discovered. The first was an emergency update, while the second was a slower, more careful and more subtle update.

The team opted for the latter on the following grounds:

  1. There are few people in the world with the ability to spot that error and most of them probably have better things to do.
  2. An attacker would need the MPC ceremony transcript to carry out an attack, but the Zcash team had already taken it offline and would later destroy it entirely. There were unlikely to be any backups floating around, so to get the transcript, an attacker would need to individually reach out to ceremony participants for their footage of the event and then piece it together. This is how it was later reconstructed.
  3. There were other cryptocurrencies and projects with the same vulnerability. Blaring an emergency update would risk exposing their vulnerabilities too.

It proved to be a good choice. Zcash was patched up with the Sapling update in October, at which point Horizen and Komodo were individually informed. The entire thing was so cloak and dagger that even Zcash's director of product security didn't know about the vulnerability until after it was fixed.

And mirroring the paradox of privacy cryptocurrencies on public blockchains, the Zcash team has simultaneously been completely secretive and entirely transparent about this issue.


Disclosure: At the time of writing, the author holds ETH.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Ask a question
Go to site