07.02.2019

Zcash Bug Demonstrates the Difficulty of Auditing Complex Cryptocurrencies

Zcash Vulnerability Lay Undiscovered for Years

On Feb. 5, the Zcash team shared a blog post acknowledging the existence of a bug that had been in place since the privacy coin launched. Discovering its existence would have called for “a high level of technical and cryptographic sophistication that very few people possess,” claimed Zcash developers. While likely true, this admission has provided little comfort to zcash holders, and doesn’t augur well for any future bugs that have yet to be discovered. It stands to reason that any elementary exploits in the protocol will have long since been identified. As such, any critical Zcash bug to surface at this stage can be assumed to require sophisticated knowledge to pinpoint.

 

Common sense holds that the less moving parts a device has, the less there is to go wrong. The same concept applies to cryptocurrencies. With the addition of enhanced features such as smart contracts and complex privacy tech like zk-snarks, code becomes harder to audit, and it can be virtually impossible to determine whether vulnerabilities have been exploited. Bitcoin Core is not immune to vulnerabilities, with a bug that had lain undiscovered since 2016 only identified and patched last year. The relative simplicity of Bitcoin’s design, however, means it has less possible attack vectors, having survived a decade of adversarial probing by governments, research groups, and hackers.

Mixed Reactions to Zcash Response

Zcash Bug Demonstrates the Difficulty of Auditing Complex CryptocurrenciesThe disclosure of the vulnerability was greeted with a mixed response. Edward Snowden, who has previously signaled his support for the privacy coin, praised its well-funded developer team who are able to patch bugs of this nature before they are exploited. Others, however, including Monero’s Riccardo Spagni and cryptographer Peter Todd, pointed out the disingenuousness of Zcash claiming the bug was unlikely to have been exploited simply because it would have required high-level knowledge.

“Although we believe that no counterfeiting occurred, we are monitoring pool totals and will act in accordance with our published defense against counterfeiting in an effort to preserve the monetary supply,” noted the Zcash team. Zcash is trading at $46 per coin at the time of publication, down almost 5 percent from 24 hours ago, when the bug was publicly disclosed.