Zcash Vulnerability Fixed, Adding Confidence in Cryptocurrency


In a blog post released on February 5th, 2019, Zcash announced that they’d discovered a counterfeiting vulnerability in their cryptography 11 months prior. The post was only released after they were positive they’d fixed the issue and protected the funds of all Zcash users. The privacy coin has seen controversy in the past due to its use of a founder’s reward and the perceived centralization that results from that, but this piece of news will likely help that perception significantly.

In fact, the vulnerability was patched in the Sapling patch that was implemented on October 28th, 2018. The reason why the announcement was delayed was because Horizen (also known as ZenCash) and Komodo blockchain both suffered from the same issue and needed to be fixed first. Any announcement before then could have endangered the cryptography of those protocols as well.

A Counterfeiting Issue

The issue was a counterfeiting one, not a privacy one. Essentially, attackers were able to create unlimited Zcash without any worry of detection. Zcash employs some of the most sophisticated cryptography in the industry, and this vulnerability can be seen as a side effect of pushing these boundaries.

On March 1st, 2018, Ariel Gabizon, an engineer at the Zerocoin Electric Coin Company, detected the issue and alerted Sean Bowe (one of the writers of the blog post). Everything was covertly remediated, to avoid any worry of someone taking advantage of this vulnerability. Even many of the engineers were not privy to the problem until after the fact, as this was the best way to maintain operational security.

As of today, the Zcash Company has no reason to believe that this vulnerability had been exploited prior to attack. This is due to the fact the vulnerability had existed for years, but remained undiscovered by third-party auditors, cryptographers, and scientists. The high level of knowledge around cryptography required to understand it also makes the pool of people who could have taken advantage minimal. Finally, there was no footprint or evidence of an increased number of Zcash in circulation.

The bugs were contained in the zk-SNARKs which grant shielded transactions in the Zcash protocol. Since Horizen and Komodo blockchain had similar structures, it was necessary for Zcash to provide them with some of the remediated code in order to protect themselves as well. They were contacted by way of encrypted email in mid-November and are now considered secure as well.

Snowden and Public Perception

In an accompanying piece of news, this sort of covert patching and adept handling of the issue has caused Edward Snowden (US government secrets leaker) to reiterate his support of Zcash’s founder’s reward. This is considered to be one of the more controversial elements of the privacy coin, but he sees it as perfectly justified when you see how well this vulnerability was handled. In a way, you are paying for quality.

Snowden pointed out that many companies only learn about vulnerabilities after they are exploited, and this “tax” is able to fund and incentivized a stronger, more vigilant team. There are multiple views on this and the “centralized” nature of a founder’s reward, but that’s a talk for another time.

So to conclude, there was a gaping hole in the security of a protocol, but it is likely none was counterfeited. Additionally, the operational security of the patch was maintained until other projects could be remediated, which looks great on Zcash. The privacy coin is said to cover many of the issues presented by Bitcoin, and is expected that many looking to store wealth offshore in the coming decade will be buying Zcash.

Leave a Reply

Notify of

Risk Warning: Investing in digital currencies, stocks, shares and other securities, commodities, currencies and other derivative investment products (e.g. contracts for difference (“CFDs”) is speculative and carries a high level of risk. Each investment is unique and involves unique risks.

CFDs and other derivatives are complex instruments and come with a high risk of losing money rapidly due to leverage. You should consider whether you understand how an investment works and whether you can afford to take the high risk of losing your money.

Cryptocurrencies can fluctuate widely in prices and are, therefore, not appropriate for all investors. Trading cryptocurrencies is not supervised by any EU regulatory framework. Past performance does not guarantee future results. Any trading history presented is less than 5 years old unless otherwise stated and may not suffice as a basis for investment decisions. Your capital is at risk.

When trading in stocks your capital is at risk.

Past performance is not an indication of future results. Trading history presented is less than 5 years old unless otherwise stated and may not suffice as a basis for investment decisions. Prices may go down as well as up, prices can fluctuate widely, you may be exposed to currency exchange rate fluctuations and you may lose all of or more than the amount you invest. Investing is not suitable for everyone; ensure that you have fully understood the risks and legalities involved. If you are unsure, seek independent financial, legal, tax and/or accounting advice. This website does not provide investment, financial, legal, tax or accounting advice. Some links are affiliate links. For more information please read our full risk warning and disclaimer.