Privacy-focused cryptocurrency Zcash has revealed that it discovered and patched a catastrophic vulnerability that would have allowed an attacker to print infinite Zcash (ZEC) coins.
In a blog post report published on Tuesday, February 5, the company behind the privacy coin reveals that its cryptographer Ariel Gabizon discovered the flaw in March last year, on the night before he presented a talk at the Financial Cryptography 2018 conference.
Gabizon immediately contacted another Zcash cryptographer Sean Bowe, and together met the company’s CEO Zooko Wilcox who was also attending the conference.
The “subtle” flaw was discovered in zk-SNARKS, the cryptography technology Zcash uses to shield transactions on the network from outside peeks.
The Zcash team of four, including CTO Nathan Wilcox, kept quiet about the discovery of the vulnerability and chose to go ahead with the task of developing a fix.
The group is said to have developed and then deployed covert mitigations to the flaw by including it in Zcash’s Sapling upgrade that was executed on October 28 last year.
The counterfeiting vulnerability was thus removed, although other measures being implemented seemingly prevented public disclosure until yesterday.
According to the blog post, “the counterfeiting vulnerability has been fully remediated,” and Zcash users require no action.
However, the company notes that:
“Prior to its remediation, an attacker could have created fake Zcash without being detected.”
Zcash also revealed that its team alerted other projects that had independently implemented the zk-SNARKs protocol.
Both Horizen (formerly ZenCash) and Komodo reportedly received an encrypted email disclosing the impact of the vulnerability and “the fix path” in mid-November.
According to Zcash, “it appears that both Horizen and Komodo have taken appropriate actions” as per the recommendations of its team.
The privacy coin has indicated that it is likely no one else ever knew of the vulnerability and that Zcash had not suffered any counterfeiting.
Among the reasons for this belief, the company said, was that discovering the bug “would have required a high level of technical and cryptographic sophistication that very few people possess.”
There is no “footprint” whatsoever to suggest that anyone tried or did exploit the vulnerability.
The Zcash team has received praise from several quarters for the way they handled the bug, including whistleblower Edward Snowden.
He tweeted that despite the negative aspect of having a founder’s reward, at least the tax “funds a quality team” that he says can “catch” and handle security threats and risks “in-house before they get exploited.”
In February 2018, Grayscale Investments released a price forecast indicating that Zcash (ZEC) could hit over $62,000 in the next six years.
Grayscale made the prediction based on the potential use for the coin due to its privacy and anonymity features. If 10 percent of offshore wealth was secured using ZEC by 2025, then the digital currency could hit the $62k value.
The token currently trades at $46 against the U.S. dollar.
Disclaimer: This is not investment advice. Cryptocurrencies are highly volatile assets and are very risky investments. Do your research and consult an investment professional before investing. Never invest more than you can afford to lose. Never borrow money to invest in cryptocurrencies.