🗞️ NewsThe team at Coin Metrics published an extremely well researched and clearly written report detailing a discrepancy they discovered in the Bitcoin Private blockchain. Before we can get to the issue at hand, a bit of background on Bitcoin Private is in order. The network launched early this year as a "merge fork" of ZClassic and Bitcoin. Essentially, the team behind ZClassic took a snapshot of all coin ownership on both chains, then launched a new chain with a 1:1 credit for holders of each. ZClassic itself was a controversial fork of Zcash. It removed the "founders reward", a built in payment to the developers of Zcash. For a more detailed explanation of the network's origins, check out this CoinDesk write up from March. Link.
Now that we have some background on Bitcoin Private, let's get back to the issue at hand. The Coin Metrics team discovered that, during the forking process that created the merged blockchain, an extra 2 million coins were covertly created. These pre-mined coins were later moved into a shielded address, which made them invisible to the rest of the chain. This was possible because Bitcoin Private utilizes the same ZK-SNARKS technology from Zcash to enable private transactions. Despite this, we know that some of these coins were eventually moved out of the shielded pool and possibly sold. This can be inferred because very few legitimate coins are being stored in shielded addresses. The write up from Coin Metrics is approachable and well worth the read. Link.
The announcement led many to speculate the developers of Bitcoin Private had created the covert coins. In response to the allegations, the devs published a Medium post laying out what supposedly happened. In it, they claim the coins were created during the public "fork mining" process and that anyone could have done it. The vulnerability which made the pre-mine possible has been blamed on a bug introduced by an anonymous developer who contributed to the Bitcoin Private source code in response to a bounty. The post also lays out a supposed plan to rectify the situation-- namely hardforking all shielded coins out of existence, including the small number of legitimate coins held by normal users. Link.
As usual, there are a bunch of interesting threads to pull on in this story. For one, there's the fact that these "secret" coins were actually hiding in plain sight for about 9 months before anyone noticed. While this isn't a top-tier project, it still attracted significant attention and investment at its launch. It had a peak market cap of over $1.5 Billion, and though only a small fraction of the artificially mined coins were moved, the perpetrator likely netted upwards of $3 Million by selling them. Despite the fact large sums of money were at stake, no one bothered to audit the supply or the forking process. Anyone with a modest technical understanding of the process could have discovered the issue. That means thousands of people invested millions of dollars, and not one of them did even basic diligence. It's a great anecdote of the FOMO-driven mania surrounding cryptoassets over the past couple of years.
The technical details that made the covert coins possible are also fascinating. I did some digging here, so get ready for an in-the-weeds explanation. The snapshot of Bitcoin unspent transaction outputs (UTXOs) were added to the merge-fork by "mining" thousands of blocks. The blocks could be mined by anyone in the public, and the difficulty was set such that even a consumer PC could find a valid block. Each fork block was permitted to have 10,000 coinbase-like transactions, each of which was supposed to assign an unspent transaction to an address via a single output.
The Bitcoin Private client shipped with a huge file containing the snapshotted UTXOs and validated the first output of each coinbase transaction against the list. It also ensured each block had 10,000 transactions. What it failed to do was ensure was that each transaction had only a single output. So whoever "mined" the blocks containing the covert coins simply added an extra output to some of the transactions, minting new coins which they assigned to their address.
I have a lot of questions about the design of the forking process. Why "mine" fake blocks to import the snapshot UTXOs in the first place? If you need a canonical file containing the official UTXOs to validate the chain, what's the point of creating the blocks? Even if there are good reasons for creating blocks, (and there are some plausible ones), why mine the blocks in public? And why set the difficulty so low that anyone could mine them? I'd love to hear the Bitcoin Private team's explanation of these decisions, as nothing was laid out in the whitepaper.
These questions, of course, also point to the last reason this story is so interesting: good old fashion criminal intrigue. Was this an inside job? An elaborate scheme by the devs to enrich themselves while maintaining plausible deniability that someone else could have done it? Or is this a case where Hanlon's razor should be invoked-- "Never attribute to malice that which is adequately explained by incompetence." We don't know yet, but stay tuned. There's probably some digging left to do, and I have a feeling folks will be looking into it.