The developers behind the privacy-centric cryptocurrency Zcash have recently revealed they’ve fixed a vulnerability that would’ve allowed attackers to generate an infinite number of ZEC tokens, potentially destroying the cryptocurrency.
According to the team, the vulnerability was discovered back in March of last year, and was deemed extremely dangerous. So much so, that only four people knew about it before a patch for it was released later on in October.
The four were Ariel Gabizon, a Zcash cryptographer who originally discovered it, Sean Bowe, another cryptographer who confirmed the finding, Zooko, and Nathan Wilcox, the CEO and CTO of the Zcash Company, who coordinated the fix.
The cryptocurrency, which relies on a “highly advanced” privacy-focused protocol, is reportedly used by organizations like JP Morgan Chase, which further forced the developers to keep it a secret. If the flaw was abused, ZEC tokens could potentially flood the ecosystem, to the point they would become worthless.
To prevent attackers from exploiting the flaw, the team deleted a “large MPC protocol transcript,” that could have reportedly been used in the exploit. When the community asked the team about it, it claimed it was an “accidental deletion.”
The bug was patched in October through the cryptocurrency’s “Sapling” upgrade, which replaced the vulnerable code. These included Horizen and Komodo. The disclosure reads:
The counterfeiting vulnerability was fixed by the Sapling network upgrade that activated on October 28th, 2018. The vulnerability was specific to counterfeiting and did not affect user privacy in any way. Prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.
Soon after, Zcash notified cryptocurrencies that used its code to patch it. Only recently have details about the vulnerability been released to the public. Despite the security measures taken, the cryptocurrency’s developers believe it would’ve been hard for hackers to take advantage of the vulnerability.
This, as discovering the vulnerability would’ve “required a high level of technical and cryptographic sophistication that very few people possess.” The vulnerability had reportedly existed for years and remained “undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code.”
Despite the activity surrounding Zcash and its code, the bug seems to have remained undiscovered until it was patched, as according to the crypto’s developers it would’ve left a “specific kind of footprint” on the blockchain if it was used, and no such footprint has been detected.
According to CryptoCompare data, Zcash is currently trading at $46.11 after falling 4.46% in the last 24-hour period.