Privacy-focussed cryptocurrency, Zcash, has disclosed an inflation bug, discovered 11 months ago, which affected its own and several other privacy-coins. Though the Zcash vulnerability has now been remedied, it took 8 months after discovery, and some coins remain exposed.
Zero Knowledge
Last March, a Zcash engineer noticed a mistake in a cryptography paper describing certain ‘zero knowledge’ proofs. Zcash (ZEC) [coin_price coin=zcash] and several other coins, use these proofs to enable many of their privacy features. The mistake meant that an attacker could mint an infinite amount of ZEC (or any other affected coins) without detection.
Zcash kept the discovery quiet; only the small team working on the fix knew about the issue. Team members used encrypted communications to reduce the risk of insider leaks or hackers finding the vulnerability.
In October, eight months after discovery, the bug was surreptitiously patched during a planned network upgrade. Although Zcash have stated that they do not believe the bug was exploited, they cannot be certain.
Infinite Coins
While all this was going on, the other affected projects were kept in the dark. But after implementing their own fix, the Zcash team informed security staff at Komodo and Horizen. These two represented the majority of the market cap of other affected coins, amounting to $72m and $22m respectively.
Both of these projects have subsequently implemented patches, but other smaller privacy-coins were still vulnerable at the time of announcement. This included Bitcoin Private, with an $18m market cap, who have a contentious history with Zcash.
Research unearthed evidence of a covert pre-mine of Bitcoin Private, and the resulting controversy is blamed for tarnishing Zcash. CEO, Bryce Wilcox, explained:
We didn’t want to disclose to more parties until the majority of the exposed market cap had already been protected.
Subtle Vulnerabilities
The disclosure states that the “vulnerability is so subtle that it evaded years of analysis by expert cryptographers focused on zero-knowledge proving systems.”
A commentator on Twitter pointed out that “bleeding edge crypto is risky;” and that although Bitcoin has less privacy features, this leads to a safer system. He also suggested that BTC transparency meant that a similar bug would be caught more quickly.
Does the disclosed bug pose a threat to ZEC and its market value? Share your thoughts below!
Images courtesy of Shutterstock
