🀫 Privacy Problems β€” Issue No. 37


This week, the team at the Zcash Company revealed a critical security vulnerability which had existed in Zcash. It has since been remediated. Zcash uses a mind bending, bleeding edge cryptographic technique called zk-SNARKs ("snarks") to enable private transactions. Alarmingly, the vulnerability allowed an attacker to surreptitiously mint an infinite supply of private coins. Because of the enormous risk to the network, the flaw was kept secret by the Zcash company-- in fact only four people within the company itself even knew about it. Those four team members then concocted an elaborate story to explain why they'd deleted sensitive information from their GitHub account that could have revealed the issue. Meanwhile, they worked to ensure a fix was shipped in the Sapling network upgrade that went live in October. Link.

Fundamentally, what snarks enables you to do is prove something-- such as your ownership of coins-- without revealing any information to do so. To accomplish this seemingly impossible task, a snarks implementation relies on a so-called "proving circuit". The circuit which had been used by Zcash was codenamed BCTV14, and had been developed by a team of researches in 2013. Despite the fact it had been reviewed and audited numerous times by many of the brightest researchers in the field of cryptography, the weakness in the circuit was so subtle and technical it went (seemingly) unnoticed until discovered by the Zcash team. This fact, along with other circumstantial evidence, means it's fairly unlikely the vulnerability was ever exploited to mint counterfeit coins. The shielded nature of Zcash, though, makes this hard to prove definitively. Link.

This story highlights one of the tradeoffs that comes with privacy enhancing technology. Generally, I'm a fan of technologies that result in better privacy, and this is especially true in the blockchain world. It's not hard to imagine how things could get dystopian if our economic lives migrate to fully transparent ledgers. That said, transparency does have it's advantages, and this is one of them: when the system is publicly auditable, it's easy to show the system is working as intended. This allows users to feel more confident in the networks they participate in. Privacy coins like Zcash and Monero will always have to deal with some uncertainty in this regard. We can never be sure the systems aren't being exploited in some hidden way.

Overall, though, I have to give the Zcash team high marks on how they handled this issue. Discovering a bug this insidious is a feat in itself. Keeping it a secret for months while getting a fix out is doubly impressive. The Zcash team is funded by a "founders reward", which is included in each mined block, a strategy I showed esteem for in last week's issue on developer incentives. This incident, and the competent way it was handled by the Zcash team, helps make the case that you get what you pay for.


8,200. The number of addresses holding a non-negligible amount of DAI-- the fully decentralized, dollar-pegged stable coin minted by the MakerDAO. In total, 1.5% of all Ether is now locked as collateral in Maker. This write up features a host of other numbers, and makes a compelling case that DAI is seeing real traction in the ecosystem. Link.