Zcash had an Exploit; but it Has Been Fixed

Important Information on Zcash, Zclassic, Horizen AKA Zcash, Komodo, Bitcoin Anonymous, and Bitcoin Private

The Zcash team has fixed a counterfeiting exploit. While no counterfeiting has been detected, the private nature of Zcash means there is no way to be 100% certain the flaw wasn’t exploited.

I don’t want to use incorrect words, because this is a serious issue… but two things to say:

  1. There are other infinite inflation bugs that have existed in other coins. It isn’t the end of the world alone, the only extra problem with Zcash is the privacy aspect which makes aspects of blockchain private (and harder to audit).
  2. The flaw has existed for years.
  3. The flaw would have required a very high level hacker to find and exploit.
  4. The flaw potentially exists in anything that uses Zcash code (for example Zclassic, Horizen AKA Zcash, Komodo, Bitcoin Anonymous, and Bitcoin Private). To put this another way, all ZK-SNARK coins are at risk.

This means you need to be cautious with any Zclassic coin. You need to be careful because there is uncertainty with Zcash (there is no way to know for sure there isn’t counterfeit Zcash out there), and one has to be extra careful with the other Zcash coins (make sure to research them and find out if they have patched the exploit).

For the official version: Zcash Counterfeiting Vulnerability Successfully Remediated.

Is there a solution? There is a two part solution here. Part 1 is to patch the exploit. Part two is an audit. Specifically the type of audit would be a “turnstile audit.” The details can be understood by reading Sapling Addresses & Turnstile Migration (skip to the section on Sapling Turnstile.

Which Coins Have Patched the Exploit? Last I heard Zclassic and Bitcoin Private have not patched the exploit yet, but my understanding is that Zcash, Horizen, and Komodo did. Bitcoin Anonymous is run by the team who runs Zclassic and Bitcoin Private, so I assume it is the same case there. To add insult to injury, Zcash, who found the bug, shared their findings with Horizen and Komodo, but not with the Zclassic team… which seems like a low and pointless blow. Even if they didn’t want to share with them first, logically they should have told them before going public.

Author: Thomas DeMichele

Thomas DeMichele has been working in the cryptocurrency information space since 2015 when CryptocurrencyFacts.com was created. He has contributed to MakerDAO, Alpha Bot (the number one crypto bot on Discord),...

Leave a comment

We'll never share your email with anyone else.