A Zcash engineer has spotted a seemingly small bug that he realized would create vulnerability in the cryptocurrency market and jeopardize billions of dollars in capital.
February 06, 2019 | AtoZ Markets – At Zerocoin Electric Coin Company, an engineer has identified an error in a pioneering cryptography paper for a host pf virtual coins, including Zcash’s. Zcash is a start-up that is known for the creation of Zcash – a privacy-owned cryptocurrency. The engineer, Ariel Gabizon, identified this bug on 1st March 2018. The flawed paper described the mathematical foundation of certain cryptocurrency breakthrough that developed the privacy features of digital currency projects including Zcash’s. If this had come to the knowledge of an attacker, he would have exploited the vulnerability to mint an infinite amount of Zcash and other cryptocurrencies that are built on this cryptographic technology. This would have caused a lot of problems which no one would have been able to trace and which ultimately, would have led to loss of huge funds.
Vulnerability Not Yet Exploited On Zcash
Nearly eight months after the discovery of this security hole, Zcash CEO, Bryce Wilcox said his team has patched it immediately it was discovered. He expressed his doubt concerning any exploitation of the vulnerability on the Zcash blockchain. According to him, very few people knew the cryptography well enough to have discovered and exploited it. Besides, there was no abnormally large transfer of Zcash cryptocurrency which might have raised suspicion. However, the Zcash team admitted to no complete certainty that the vulnerability was or has not been exploited. The team expressed its readiness to balance security concerns against the risk of leak. While Zcash and a few other top affected cryptocurrencies have been able to patch up their systems, not every project liable to this bug had been notified. Some projects therefore, appears to still be vulnerable to this bug.
When this bug was first discovered by Gabizon, Zcash leadership had two options. They could have raised an alarm immediately and sent panic to the entire industry and therefore opened several Crypto projects and theirs to obvious attacks, or they could have kept the knowledge of the bug between themselves, fixed it, sneaked it into a network upgrade and quietly alerted other affected parties. The former, which the team opted for, sounds obviously better. A core group of Zcash insiders were made to know of this. The bug was fixed and the so called Sapling Update was done on 28th October.
Just a couple of weeks after Zcash was sure that the bug was fixed on its network, it alerted security contacts at two other affected projects about this vulnerability. On 13th November, Komodo (creator of KMD tokens) and Horizen (creator of ZEN tokens) were alerted. All the three projects group alerted have since patched their codes and upgraded their systems. One of the team members at Horizen, Maurizio Binello, after completing their upgrade on 18th January, said:
We’d like to thank the Zcash team for disclosing their technical concerns and the coordination work… we see this as an important sign of maturity for the whole industry
While these projects appear safe from this bug, smaller projects currently remain vulnerable. One of them is Bitcoin Private, whose virtual coin is valued at $18 million.
Think we missed something? Please share with us in the comment box below.