A blockchain researcher has warned that “all” privacy coins may include fundamental cryptography bugs that could enable hackers to counterfeit infinite amounts of money.
Tim Ruffing – who is a PHD candidate from Saarland University in Germany and worked as an advisor to Zcoin – tweeted his “Public Service Announcement” earlier this week.
“All cryptocurrency designs with privacy features may have bugs in their cryptography that allow undetectable inflation,” Mr Ruffing said.
“Examples (include) Zerocash, Zerocoin, RingCT (Monero), QuisQuis, and even designs with ‘Confidential Transactions’ (such as) Mimblewimble (Grin), and Liquid.
He added that he isn’t personally aware of bugs that aren’t yet publicly known but that privacy coins by their very nature can allow undetectable inflation. “In other words, it is not possible to audit the supply of these currencies,” he said.
Bugs have been fixed in Zcash, which shared its findings with Horizen and Komodo.
PSA: All cryptocurrency designs with privacy features may have bugs in their cryptography that allow undetectable inflation.
Examples: Zerocash, Zerocoin, RingCT (Monero), QuisQuis, and even designs with "Confidential Transactions" only, e.g., Mimblewimble (Grin), and Liquid.
— Tim Ruffing (@real_or_random) May 16, 2019
Zcoin suspends mints and spends after “irregularities”
In April, Zcoin (Zerocoin protocol) was forced to suspend mints and spends on the network after ‘irregularities’ were detected.
It put out a statement admitted that: “Forged coins were created, but not exceeding 1% of the circulating supply.”
It’s the second time this has occurred, after hackers created 370,000 fake tokens in February 2017, which were sold for almost half a million dollars.
Zerocoin contacted other projects based on the protocol including PIVX, Veil, and Gravity Coin to warn them to disable Zerocoin.
PIVX has now abandoned its currency created using Zerocoin to switch to a non private coin, while it researches and develops a new privacy protocol.
The Zerocoin developers have elected not to fix the issue, instead hastening the release of the new Sigma Implementation that will replace it.
Among those, we're aware of bugs that could have lead to *undetectable* inflation in implementations of Zerocash (fixed) and Zerocoin (privacy features are disabled to make sure it's not exploitable). We can't know to what extent those bug have been exploited to print money.
— Tim Ruffing (@real_or_random) May 16, 2019
Zcash kept the flaw a secret for eight months
The fatal flaw allowing hackers to print an infinite amount of money was first identified by a Zcash engineer in March 2018, but the company kept it under wraps and worked on a solution secretly.
The company explained it didn’t want to tip off hackers to the weakness: “We didn’t want to disclose to more parties until the majority of the exposed market cap had already been protected.”
It took eight months for the system to be upgraded, during which time any amount of counterfeit Zcash tokens could have been minted by hackers.
The technical team is unable to prove whether the bug was exploited or not, but say they haven’t identified any issues so far.
Zcash said the fix took so long because the “vulnerability is so subtle that it evaded years of analysis by expert cryptographers focused on zero-knowledge proving systems.”
The upside of this was that it was correspondingly difficult for hackers to exploit.
The exploitable surface for undetectable inflation bugs in Mimblewimble implementations is much smaller than Zcash and includes the Bulletproofs implementations only. @beamprivacy did three audits by known companies and many audits by individuals. https://t.co/cDll5fzjEM
— Guy Corem (@vcorem) May 17, 2019
Bug fixed in Horizen and Komodo
After fixing the issue on its own network, Zcash contacted the two largest privacy coins affected by the bug, Komodo and Horizen, to give them detailed information about the fix which has since been implemented.
Beam, a privacy coin created using a MimbleWimble implementation, recently underwent an audit, that found it was much less vulnerable to the bu than ZCash.