The Zcoin team discovered a vulnerability in the cryptography of the Zerocoin protocol that allows an attacker to forge zero-knowledge proofs and create coins out of thin air. Coins using the protocol such as Veil are vulnerable to attack until Zerocoin is disabled. Although the exposed flaw is fixable, the Zcoin team does not plan to allocate resources to the issue and instead will continue to focus on transitioning to its new privacy protocol, Sigma.
On Apr. 9, 2019, the XZC team was alerted to a series of irregularities in the mint and spend patterns of 100 tokens. They immediately contacted all pools, exchanges, and projects that utilize the protocol to disable Zerocoin while a deep investigation took place. By Apr. 19, the root cause of the issue was found and on Apr. 24 an emergency update was released.
During the investigation, the team was able to uncover that the vulnerability was not the result of a coding error but was actually a cryptographic flaw in one of the zero-knowledge proofs that had existed since the inception of the Zerocoin protocol.
Zerocoin works by allowing people to burn their coins (mint) and then redeem them later (spend) for new coins with no previous transaction history by producing a zero-knowledge proof that proves that they burnt the coins without showing which coins they burnt. To prevent people from reusing the same zero-knowledge proof to redeem new coins, each Zerocoin mint when spent will yield a unique serial number.
The flaw, however, allows an attacker to reuse a single mint to generate many spends with unique serial numbers, which mean that the attacker can create new coins out of thin air and inflate the cryptocurrency as they wish.
According to Zcoin’s disclosure, coins have been forged out of thin air—representing roughly 1 percent of Zcoin’s circulating supply. Coins which have something called the “masternode sporks” feature can turn off Zerocoin immediately, protecting themselves from attack. However, projects without the feature would need to hard fork to disable Zerocoin. Furthermore, coins that disable Zerocoin may compromise the privacy of subsequent transactions until a new privacy protocol is implemented.
Is Zerocoin dead?
CryptoSlate reached out to Reuben Yap, the COO of Zcoin, to know if there was a plan to solve the issues that the project is facing, to which he stated:
“Declaring Zerocoin is dead is premature. There are probably ways to fix it and we are already floating some ideas with other teams. The only reason why we won’t dedicate resources to it is because we are transitioning out already anyway in line with our long term road map.”
The company has spent most of 2018 working on replacing Zerocoin with Sigma, which is a precursor to their next generation privacy protocol named Lelantus that will expand its functionalities and privacy features during the minting and spending process. The new protocol makes it easier to be audited and will bring down proof sizes from 25 KB to 1.5KB. Sigma is in the final stages of development and is planned to be released on mainnet within the next two months.
Mr. Yap also addressed the concerns about why Zerocoin was used when the original library had warnings on it not to be used in production.
“The Zerocoin protocol and library have not been at a standstill and both the library and protocol in live use today have been consistently hardened and improved from the original. Since its inception in 2013, there have been at least 499 academic citations and even a paper that was published on discovered flaws and ways to fix them. Despite all the scrutiny from scholarly circles, it took this incident for this issue to be highlighted. This shows that it had nothing to do with coding errors in the library but instead, a result of a fundamental flaw in one of the cryptographic building blocks of Zerocoin, which is much harder to find.”
Reuben insisted that they are still collaborating and working together with other projects to solve these vulnerabilities, but even prior to the incident they were already in the final stages of transitioning out from Zerocoin.
It is unknown what will happen to other cryptocurrencies that use the Zerocoin protocol since they are still vulnerable to attacks and it is not trivial to switch to another protocol. Zcoin has yet to disclose the specifics of the cryptographic flaw because it could potentially elicit additional attacks on XZC and other projects using the protocol. For now, the team has contacted other projects using Zerocoin to give those projects time to secure themselves against the exploit.