Developers behind the privacy-focused cryptocurrency Zcash have patched a security flaw that could have allowed hackers to create an unlimited amount of counterfeit coins.
Roughly one year ago cryptographer Ariel Gabizon discovered what appeared to be a “subtle” bug in zk-SNARKS, a tool to hide user identities and currency balances. The bug could have allowed attackers to overwhelm Zcash’s financial ecosystem with falsified currency, perhaps enough to undermine trust in the cryptocurrency altogether. The problem also could have put in peril the partnership between Zerocoin Electric Coin Company, the organization behind Zcash, and JPMorgan Chase.
“Prior to its remediation, an attacker could have created fake Zcash without being detected,” members of the Zcash team said in a blog post Tuesday. “The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.”
Gabizon, a ZECC employee, discovered the issue in March 2018. Only four members of Zcash team knew about the vulnerability, which was fixed in October.
“It was not reported publicly at the time in order to protect against it being exploited prior to its remediation, and to provide information and remediated code to other projects that were also vulnerable,” the Zcash blog stated. “We employed stringent operational security measures to keep its existence a secret, even from our own engineers.”
Former National Security Agency contractor Edward Snowden praised the disclosure in a tweet Tuesday, saying “some other projects learn about bugs like this only AFTER people have lost money.”
Zcash is not as popular as bitcoin or other cryptocurrencies, but it has attracted attention at the top levels of corporate America. JPMorgan Chase CEO Jamie Dimon famously called bitcoin a “fraud,” though the international bank in 2017 announced a partnership with Zcash. Chase baked Zcash’s privacy technology into Quorum, its own enterprise-focused blockchain product.
The attraction stems in part from Zcash’s development of a concept called zero-knowledge proof, in which users can offer a small piece of information to verify their identity without sharing too much data, according to the MIT Technology Review. The technology could have wider implications for the financial sector.
“In the case of Zcash, users can use [zero-knowledge proof] to prove they have sufficient funds to make a valid transaction,” MIT Technology Review’s Mike Orcutt reported in 2017. “In an enterprise system like JP Morgan’s Quorum, customers could use it to do things like prove they are accredited investors.”