According to a disclosure made Tuesday by the development team behind ZCash, the most highly capitalized privacy-focused cryptocurrency (with a market cap in excess of $270M at the time of publication), has secretly fixed a critical security flaw in ZCash’s design, which was discovered by ZCash cryptographer, Ariel Gabizon, about a year ago.
Last March while preparing a presentation for a cryptography finance conference the following day, Gabizon discovered a crucial flaw in the cryptographic functions underlying zk-SNARKS, an implementation of zero-knowledge proofs used by ZCash and other privacy coins to give users the option of greater privacy though true cryptographic anonymity.
ZCash says the vulnerability (which was so subtle that the world’s top cryptography experts have overlooked it for years) did not threaten the network’s anonymity in any way but could have been manipulated by hackers to create an unlimited amount of counterfeit ZCash.
Had the security flaw been discovered by a more unscrupulous developer, it could have been exploited to steal potentially millions of dollars from ZCash users before being discovered and perhaps irreparably damaging the market’s trust in the privacy coin.
Because other cryptocurrencies employ the same algorithms the stakes were high. These include Komodo whose KMD tokens have a total market value in excess of $70 million and Horizen (formerly called ZenCash) whose ZEN tokens are valued at $22 million.
With so many millions of dollars of cryptocurrency users’ money exposed to theft and sabotage, Zcash remained tight-lipped about the vulnerable, and chose to secretly notify only Komodo and Horizen (the two highest market-cap coins that employ the flawed cryptography), and only after quietly slipping a fix for the vulnerability into ZCash’s Sapling network upgrade at the end of October.
Market Confidence in ZCash and Privacy Coins
Emin Gün Sirer,