Launched in October 2016, Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous than Bitcoin, as the sender, recipient, and value of transactions remain hidden.
In a blog post published today, the Zerocoin Electric Coin Company—the startup behind Zcash—revealed that one of its employees, Ariel Gabizon, discovered the vulnerability in its code on 1st March 2018, the night prior to his talk at the Financial Cryptography conference almost a year ago.
Gabizon contacted Sean Bowe, a Zcash Company’s cryptographer, immediately after discovering the counterfeiting vulnerability, as dubbed by the team, and the team decided to keep the flaw secret in order to avoid the risk of attackers exploiting it.
According to the company, only four Zcash employees were aware of the issue before a fix was covertly included in the Zcash network on 28th October 2018.
Besides this, since “discovering this vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess,” the company believes that no one else was aware of this flaw and that no counterfeiting occurred in Zcash.
Now, the Zcash team detailed all about the vulnerability on its official site to inform the broader public, which if exploited, would have allowed an attacker to print an infinite amount of Zcash tokens.
Details of the Catastrophic Zcash Vulnerability
According to the team, the counterfeiting vulnerability resided in the variant of zk-SNARKs—an implementation of zero-knowledge cryptography Zcash uses to encrypt and shield the transactions—which has independently been implemented by other projects.
Both Komodo blockchains and Horizen (previously known as ZenCash) suffered from the same issue and reportedly fixed it on their platforms after being notified by the Zcash team back in mid-November 2018 via an encrypted email.
The vulnerability was the result of a “parameter setup algorithm” that allowed “a cheating prover to circumvent a consistency check” and thereby transformed “the proof of one statement into a valid-looking proof of a different statement.”
Anyone with access to the multi-party computation (MPC) ceremony transcript, which is used to set up the privacy features for Zcash, would have been able to create false proofs, granting them the ability to create an unlimited amount of shielded coins.
Though the developers found no evidence of counterfeiting occurred in Zcash, they confirmed that the vulnerability had existed for years.
“The vulnerability had existed for years but was undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code,” the company writes.
Since Zcash is private, even if someone could have counterfeited Zcash in the past, there’s no way to find out. However, the Zcash Company argued that it “studied the blockchain for evidence of exploitation: An attack might leave a specific kind of footprint. We found no such footprint.”
Fixes for this vulnerability were implemented in the Zcash Sapling network upgrade in October 2018, and some, including former NSA whistleblower Edward Snowden, have applauded the team’s handling of the flaw.