Developers of anonymous cryptocurrency Zcash have discovered an exploit in the client that could be used to knock the network’s nodes offline.
Zcash DoS Vulnerability Found
Zcash CEO Zooko Wilcox reported that, as of April 13, the team fixed the bug in a new implementation of the protocol — zcashd release 1.0.8-1.
According to a security post published by Wilcox on the Zcash blog, the exploit affected the network’s method of transaction priority handling. This bug, he said, could have allowed an attacker to use a “specially crafted transaction” to knock Zcash nodes offline in what amounts to a Denial of Service (DoS) attack.
In the original April 12 post notifying the community of the vulnerability, Wilcox wrote that his team had not found any evidence of the bug’s exploitation “in the wild.”
Wilcox then repeated that claim in an update announcement. After deploying detectors, he said, his team still had not found evidence of anyone exploiting the bug.
The final post addressing the bug fix notified Zcash users that they could still be affected by the bug if they did not upgrade to the latest version of the client immediately:
“If an attack transaction is successfully executed then only the users running vulnerable clients which have accepted the transaction in their mempool will be vulnerable. Accepting an attacker’s transaction with an old client may cause the Zcash client to crash.”
Additionally, Wilcox said that the Zcash team has worked with exchanges, wallet providers and miners to ensure the vulnerability does not cause issues for their respective services.
Avoiding Current and Future Attacks
Advising users worried about the attack, Wilcox wrote that individuals need to upgrade to zcashd release 1.0.8-1, as well as make sure third-party services they use have upgraded to the latest release.
Wilcox said that developers and third-party service providers are rolling out solutions that will alert users of any ongoing attacks against the network.
Additionally, the cryptocurrency’s developers will use their social media to alert the community of any potential attacks.
Zcash’s Controversial History
Launched in late 2016, Zcash drew skepticism from the cryptocurrency community almost immediately.
In the weeks leading up to the launch, the coin’s developers released documentation explaining its features, including privacy measures and a Proof-of-Work algorithm that purportedly improves upon Bitcoin greatly.
With the features promised by Zcash, hype quickly spread throughout the community. Then, a few days after the launch, the hype exploded into a buying frenzy that pushed the price of the then extremely scarce Zcash to nearly US $5,000.
The price crashed quickly though, reaching lows of $30 and below by February 2016. The massive sell offs that occurred in the weeks and months following launch spawned rumors of scams and pump-and-dump schemes. Ultimately, though, the Zcash price stabilized — albeit at a level much lower than the launch price.
At press time, Zcash is worth $66.58 per coin.
The team has published full documentation on the DoS vulnerability on their official blog.
Do you think people should worry about this vulnerability? Let us know your thoughts down below.
Images via Pixabay, Zcash