On the Zcash Counterfeit Flaw Fix: Questions to Ponder

On the Zcash Counterfeit Flaw Fix: Questions to Ponder

Upon the news the Zcash team fixed a flaw last year that could’ve allowed for the unchecked creation of counterfeit ZEC, many in the cryptoverse have applauded the response and a new post-mortem report. Likewise, skeptics have found the case disconcerting. But the episode does generate questions worth considering, both for the neutral and opinionated alike. 

Also read: Blockchain? No Such Thing–Timechains Are the Future

Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts

‘A Flaw in the Underlying Math of Zero-Knowledge Proofs’

On February 5th, the Zcash team published a report detailing their fix of a counterfeiting bug last year that bad actors could have leveraged to discreetly counterfeit ZEC, one of the cryptocurrency ecosystem’s top privacy coins.

“The counterfeiting vulnerability was fixed by the Sapling network upgrade that activated on October 28th, 2018,” the report’s authors said.

“The vulnerability was specific to counterfeiting and did not affect user privacy in any way. Prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.”

Circled in red is the source of the counterfeiting flaw from a 2013 Zcash paper. Image via Zcash Company CEO Zooko Wilcox-O’Hearn

The Zcash team’s fix in Sapling and their associated report have quickly generated applause around the cryptocurrency ecosystem, including from the likes of privacy advocate and famous National Security Agency leaker Edward Snowden.

On the flip side, skeptics have highlighted the report’s finding that the underlying cryptography was complex enough that the vulnerability went unnoticed for years, even as billions of dollars of ZEC were transacted in that span. Monero (XMR) lead maintainer Riccardo Spagni suggested “moon-math” was the problem.

Beyond the applause and the concern, there’s room for questions in the wake of the fix whose answers may prove productive for stakeholders throughout the cryptoeconomy.

On the Lessons to Be Learned: What’s Next?

First, what should be done to cultivate more expertise around cryptocurrencies? Since few people in the world had the knowledge needed to understand the flaw in the first place, how can more experts be cultivated and deployed so that all stakeholders in the maturing cryptoeconomy have better assurances?

And what about how the Zcash team’s response will affect approaches to future incidents around the space?

As Open Privacy Research Society Executive Director Sarah Jamie Lewis has noted, “[…] interesting longer term questions come to mind, like how announcements of future operational mistakes will trigger speculation that they are a cover story for grand cryptographic bugs.”

Zcash counterfeit
What lessons can other projects learn from Zcash after this bugfix?

Moreover, with this Zcash counterfeit bug fix and Bitcoin’s long-hidden “malicious inflation” bug last year as examples, should more be done to raise general awareness around the currently experimental nature of cryptocurrencies? Is it best to assume for now that top projects have hidden vulnerabilities that reviews and audits have missed?

And what should other cryptocurrency projects take away from the Zcash team’s response? What elements of the Zcash team’s approach should be emulated? Was the in-house performance such that the episode should be characterized as a win for the Zcash Founder’s Reward? Should they have done anything differently?

Lastly, let’s say an attacker had discovered the Zcash counterfeit vulnerability before it had been fixed in Sapling. What would the appropriate response have been from the Zcash team? How should projects react to actual incidences of malicious inflation?

There aren’t necessarily right or wrong answers to these questions. But simply asking them out loud and in good faith can mark small steps toward the wider maturation of the cryptocurrency space.

What’s your take on the Zcash counterfeit bug? What lessons do you personally take away from the episode? Let us know in the comments section below. 

Images via Zooko Wilcox-O’Hearn, Pixabay

Related News