Zcash reveals a major counterfeiting vulnerability
Yesterday, it was revealed by the Zerocoin Electric Coin Company (the company behind Zcash) that a major counterfeiting vulnerability in Zcash had been detected and successfully remediated.
Thought an employee discovered the issue in March of last year, a handful of people at Zcash intentionally kept it a secret until now. It was patched in the Sapling network upgrade which happened in October and the company claims that there is no evidence that the vulnerability was discovered or exploited at any point in time.
A blog post released yesterday describes the covert mitigation strategy which kept the vulnerability a secret until it could be included in the Sapling upgrade.
Some thoughts on this.
- The decision to address the issue covertly is a defendable choice. The alternative, which involved an emergency hardfork, would have been a costly and resource intensive operation.
- Weighing both the options to disclose and hardfork, or conceal and wait until Sapling to push a fix, it's likely the former would have caused more reputational harm to Zcash.
- With very high confidence that the vulnerability had not and would not be discovered, I believe the members of the Zcash team who came up with the mitigation plan acted rationally and ethically.
With that in mind, this should serve as an important lesson to the industry and anyone who owns cryptocurrencies. These are incredibly nascent technologies. A small undiscovered vulnerability could bring down an entire house of cards in an instant.
I thought Ethan Buchman (Tendermint/Cosmos) had an accurate response.
In a series of Tweets, he describes the delicate nature of cryptographic algorithms and the absence of peer review processes. Here's an excerpt.
As for peer review. Outside computer science, where peer review is pretty fundamentally broken, the idea that something is ok because of peer review is laughable. If anything it might be an anti-signal by now. In computer science, we're on moderately sturdier ground but not nearly sturdy enough! The ZCash team said it themselves:
This vulnerability is so subtle that it evaded years of analysis by expert cryptographers focused on zero-knowledge proving systems and zk-SNARKs"
Why will any of the other new magic math be any different?
Indeed, for most people, even the Elliptic Curve algorithms in Bitcoin are magic math. This episode reminds us that even blindly trusting expert cryptographers is not an option.