There is evidence that the second largest Zcash mining pool is censoring shielded (private) transactions. If more pools begin censoring shielded transactions it would make the privacy coin “mostly unusable,” according to one analysis.
Mining pool censorship
Lev Dubinets, a former software developer at AWS, noticed that F2Pool—the second largest Zcash mining pool, which controls 18 percent of the network hashrate—has been censoring private transactions since April 2017.
According to Dubinets, out of more than 86,000 shielded transactions year-to-date F2Pool only mined 120 of them. Given the pool’s hashpower it should have mined roughly 15,000 shielded transactions. These numbers indicate that F2Pool is likely opting not to mine shielded transactions.
“Shielded transactions are underrepresented by F2Pool by three orders of magnitude,” stated Dubinets.
Reason for excluding shielded transactions
There are a few theories as to why F2Pool is choosing not to include shielded transactions in mined blocks. Dubinets speculates that it could stem from regulatory concerns, but even that seems unlikely. Miners normally are incentivized to include as many fee-bearing transactions as possible in a mined block.
Reuben Yap, the COO of privacy coin Zcoin, theorizes the choice could stem from fundamental challenges related to processing shielded transactions.
“My initial guess was that F2Pool engineers determined that not processing shielded transactions gave them some advantage in mining blocks (in a similar vein to mining empty blocks). Or that it was something to do with not wanting to deal with the complexities of verifying the zk proofs. Wang Chun’s recent post on Twitter indicates it to be the latter”
In response to inquiries on potential censorship, Wang Chun, the owner of F2Pool, implied the exclusion was out of laziness rather than malice.
The original ZEC pool I wrote in 2016 didn't include any tx only empty blocks, not coz of censorship, but I was too lazy write code calc merkleroot. The current code is maintained by our dev @wincss he might be same lazy I guess. Will check with him. https://t.co/QsKsyH71dj
— wangchun @ bitfish+f2pool (@satofishi) June 6, 2019
If more pools come to a similar conclusion it could become problematic for the Zcash network. If additional pools censor shielded transactions it would make Zcash “mostly unusable,” as said by Dubinets.
Opt-in by default?
One longstanding controversy around Zcash is the team’s choice to make shielded addresses optional. Unlike some other privacy coins, such as Monero, which obfuscate transaction by default, ZEC users must actively choose to send private transactions.
Research published this May by researchers from the University College of London identified that only 6.3 percent of transactions are shielding, which takes a public “t-address” and converts it to a private “z-address.” Only 0.3 percent of transactions are “private,” which is a transaction between two shielded z-addresses.
Many responses to Dubinets’ analysis were critical of Zcash’s “opt-in” privacy feature. There are many privacy-concerned users that would prefer that shielding be enabled by default.
“There are two approaches which privacy coins take, one is to have privacy opt-in and the other to have privacy on by default. Although an incident like this is an argument to have privacy on by default to make it difficult for miners to censor transactions, there are many other considerations at play. For example, allowing transparent transactions allow easier adoption in many ecosystems such as exchanges and wallets and also can serve to allow traceability where required (for e.g. for tracking charity payments) giving the coin more utility. ZK-proof privacy systems also do not suffer as much as decoy based privacy systems when privacy is opt-in since the anonymity set is always increasing,” said Yap.
CryptoSlate reached out to Dubinets for suggestions on how the Zcash protocol could tackle the issue of miner-related censorship.
“A solution would be to make z-addresses easier to use and cheaper to spend. Hardware wallets like Ledger still don’t support z-addresses because they can’t generate proofs on a device with so little memory and compute power.”
That isn’t to say the Zcash team isn’t making progress towards making its privacy features more accessible. Following Sapling, the RAM and CPU requirements for generating proofs have decreased significantly, and further improvements are planned by the Zcash team.
“I hope that one day z-addresses are first class citizens, proof generation is very cheap, and that the Zcash team and community will consider removing t-addresses. Until then, more wallets and tools should be built that are ‘z-address first’ like Zepio Wallet. Users should use z-addresses more. Miners should avoid pools that censor and instead favor pools that have a stated commitment to privacy.”