Privacy-focused cryptocurrency Zcash fixed a flaw last year that could have allowed an attacker to produce counterfeit currency. The flaw, only revealed this week, existed for two years until the project’s technical team fixed it in October 2018.
Zcash is one of the cryptocurrency world’s most security-conscious projects. It is built on the Bitcoin Core code base, but adds new features for privacy, including shielded transactions. These transactions obscure both the payments and the sender and recipient Zcash addresses, and they also allow for the inclusion of encrypted notes. Participants in a shielded transaction can also disclose specific details to a third party for compliance purposes without revealing everything.
How can transactions be included on a blockchain and agreed upon by everyone if they are entirely secret? The lies in zero-knowledge proofs, or in Zcash’s case, zero-knowledge succinct non-interactive argument of knowledge (zk-SNARKs).
These use a common code known by both the person who wants to prove that a transaction exists, and the person verifying it. You can think of this as a public/private key pair, but the private key is effectively thrown away. It was vital that no one ever find that private key, because it could be used to generate counterfeit ZEC (the name for units of the Zcash cryptocurrency).
To make the generation of this public/private key more secure, six trusted individuals computed it in multiple parts under highly secure conditions in October 2016. Each of these pieces forms part of the whole public key used when verifying a transaction.
The Zcash team took security very seriously during this computation process, even removing wireless and network chips from brand-new computers before using them for the calculations. They wrote the final parts of the public key to DVDs, discarding the private key parts, and then destroyed the computers used for the calculation.
Unfortunately, while the ceremony may have been secured, there was a vulnerability in the cryptographic algorithm itself. Zcash cryptographer Ariel Gabizon discovered the flaw on 1 March 2018 while attending the Financial Cryptography 2018 conference.
The algorithm created extra elements that were not needed, and were included by mistake. They enable someone to make a zero knowledge proof of one transaction look as though it is proving another. Because these parameters were included in the public transcript of the MPC ceremony, anyone with that transcript would have been able to create false proofs and therefore counterfeit any amount of Zcash.
Thus began the long process of fixing the problem, beginning with the removal of the public MCP transcript, which had been published online. The Zcash team didn’t believe that many people would have downloaded it. It would also have taken some serious cryptography expertise to exploit the flaw. Nevertheless, the means to do so were nevertheless in the public domain. So Zcash needed to be stealthy while it fixed the problem.
Rather than create an emergency hard fork (effectively halting the blockchain and starting a new one to solve the problem), the company decided to fix the issue in a forthcoming upgrade. The vulnerable version of the Zcash network that used the original public key was called Sprout. ZCash was already planning a new version of its network called Sapling with a new public key, which would be generated by a new MCP ceremony. In a blog post about the whole affair, the team said:
The Zcash Company adopted and maintained a cover story that the transcript was missing due to accidental deletion. The transcript was later reconstructed from DVDs collected from the participants of the original ceremony and posted following the Sapling activation.
Sapling was launched on 28 October 2018, effectively fixing the problem. However, there were still issues for other projects. It said:
While Zcash is no longer affected, any project that depends on the MPC ceremony used by the original Sprout system that was distributed in the initial launch of Zcash is vulnerable.
There were two major projects affected: Horizen (formerly ZenCash) and Komodo. Zcash revealed the vulnerability to those teams without disclosing full details, and believes that they have both fixed the problem.
Of note is the fact that the four people initially aware of the problem — Gabizon, Zcash cryptographer Sean Bowe, CEO Zooko Wilcox and CTO Nathan Wilcox — didn’t even brief their own director of security until after the October upgrade, according to the timeline of the vulnerability, published this week. They subsequently informed the VP of marketing and business development, and then Horizen and Komodo. Only after that did they tell their own COO, followed by the five founding scientists behind the original Zcash papers. Then came the internal cryptography team and other employees.
This stealthy approach avoided a hard fork and according to Zcash prevented anyone else from exploiting the flaw, based on monitoring the blockchain for changes in the amount of Zcash held in its shielded pool, and looking for unusual patterns in the Zcash blockchain.
The whole thing was a narrow escape, explained Andrew Miller, board member of the Zcash Foundation, in a tweet:
The luck is 1. the risk would have been a lot higher if we had done a *better* job of widely propagating the publicly verifiable MPC transcript of the Sprout ceremony. 2. The flaw in the protocol on paper was available for anyone analyzing it to find— Andrew Miller 🦓🦓🦓 (@socrates1024) February 5, 2019
All of which goes to show that when it comes to keeping cryptocurrency secrets, operational security is only one part of the puzzle. The other lies in using cryptography correctly, which is famously difficult to do.