Imagine a successful, widely known digital asset having a vulnerability in its system that would allow a hypothetical hacker to “produce” as many coins or tokens as he/she wants. Such a scenario has the potential to severely affect several sectors of the market, and that is what almost happened to Zcash last year.
The enterprise that manages the reigns of Zcash, a privacy-focused cryptocurrency, revealed this week that it had to fix a potentially catastrophic code bug in 2018 that could have been taken advantage of in order to “print” infinite tokens.
The company issued a report on Tuesday, February 5th in which it detailed the situation. As it turns out, Zcash’s cryptographer Ariel Gabizon found out about the “subtle” bug several months ago, in zk-SNARKS.
Zcash and zkSNARKS
zk-SNARKS is the cryptography implemented by Zcash with the objective of protecting balances and the identity of its user community. Thanks to zk-SNARKS, people cannot have access to the financial data of users.
Before announcing the threat to the masses, Zcash staffers and developing team decided to keep it to themselves and work tirelessly to find a solution. Thankfully, the group found a fix, which was added to the cryptocurrency’s large Sapling upgrade, executed five months ago in October 2018. In fact, Tuesday announcement marked the first time that Zcash has talked about the bug in public.
In the case the team had not been able to encounter a solution, the vulnerability carried significant risk. If exploited, a cybercriminal would have been able to print the Zcash coins he/she wanted.
The company, through its Marketing Director Josh Swihart, its Director of Product security Benjamin Winston, and its engineer Sean Bowe, said that “prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.”
Because of zk-SNARKs’ nature as a privacy technology, it is not easy to determine with 100% accuracy whether the coins were actually counterfeited. The staff, however, does not think that Zcash was actually at risk because of several reasons, including “discovery of the vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess.”
Even Edward Snowden praised Zcash about its approach to manage the potential bug: “a lot of people wonder why I like #Zcash despite the Founder’s Reward. Here’s a reason: that tax funds a quality team that catches and kills serious bugs in-house, before they get exploited,” he said via Twitter. “Some other projects learn about bugs like this only AFTER people have lost money.”
Zcash is, currently, the 21st criptocurrency by market cap. At the moment of this writing, Zcash is trading at $46.24, down 4.38% in the last 24 hours. It has a $269,707,838 market cap, and the trading volume in the last day was $141,477,309. There are 5, 833,131 ZEC in circulation right now.
By Andres Chavez