Zcash Company discloses fixes to counterfeit vulnerability on the Zcash network

Security • February 5, 2019, 12:03PM EST
UPDATED: February 5, 2019, 12:08PM EST
The Block

Today, the Zcash Company, the main developers of the Zcash protocol, announced that they have fixed a vulnerability that would have enabled attackers to create counterfeit ZEC on the network. A Zcash Company employee first discovered this vulnerability in March 2018.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The vulnerability was the result of a "parameter setup algorithm" which "allows a cheating prover to circumvent a consistency check" that limits the number of ZEC being produced. Anyone with access to the multi-party computation transcript, which is used to set up the privacy features for Zcash, could create false proofs and inflate the supply of ZEC. While the Zcash Company found no evidence that this vulnerability was exploited, ultimately, attackers could have created an endless supply of ZEC.

Fixes for this vulnerability were implemented in the Zcash Sapling network upgrade in October 2018. The Zcash Company also notified other protocols that leverage the same privacy tech used by Zcash like Horizen and Komodo to help them patch this vulnerability.

About Author

Steven Zheng is a researcher for The Block. He joined The Block in August 2018. Steven graduated from St. John’s University with a degree in economics. Previously, he covered blockchain and crypto at Radicle, a startup analytics firm. He also had brief stints at Cheddar, a media startup, and Bowery Capital, a venture capital firm. He owns bitcoin. Follow Steven on Twitter at: @Dogetoshi

More by Steven Zheng