The team behind Zcash, a cryptocurrency that touts enhanced privacy for its users, revealed that it fixed a bug that could have been used to counterfeit unlimited coins, according to reports.
A zcash cryptographer named Ariel Gabizon said he found the bug in zk-SNARKS, the cryptography the team uses to hide balances and identities.
When the team discovered the bug, they quietly worked on a fix and added it to an upgrade last October. The news about the bug had not been previously revealed.
In a blog post, the company laid out the whole debacle.
“The counterfeiting vulnerability was fixed by the Sapling network upgrade that activated on October 28th, 2018. The vulnerability was specific to counterfeiting and did not affect user privacy in any way. Prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users,” the company said.
The company said it found out about the bug a little less than a year ago.
“The counterfeiting vulnerability was discovered by a cryptographer employed by the Zerocoin Electric Coin Company (aka The Zcash Company) on March 1st, 2018. It was not reported publicly at the time in order to protect against it being exploited prior to its remediation, and to provide information and remediated code to other projects that were also vulnerable. We employed stringent operational security measures to keep its existence a secret, even from our own engineers.”
Zcash said no one was aware of the vulnerability and that it was positive that no counterfeiting happened because “discovery of the vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess,” and “the vulnerability had existed for years but was undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code.”