How does turnstile defense against counterfeiting work

#1

Can you maybe explain how this turnstile defense against counterfeiting works?

Lets say hypothetically that someone did counterfeit Zcash and tries to send 1M Zcash from z address to t address. This mechanism detects it and I am not sure what it does exactly. Does it make all sprout balance invalid but this 1 M zcash goes through, or does it invalidate this 1M zcash (minus what was suppose to be in sprout) ?

[Updated] 2.0.5 release delayed, expected next week
#2

The mechanism is specified as ZIP 209:

If the “Sprout value pool balance” or “Sapling value pool balance” would become negative in the block chain created as a result of accepting a block, then all nodes MUST reject the block as invalid.

2 Likes
#3

But what would happen with those fake Zcash? Could they try send them again and again and thus prevent blocks from getting accepted ?

1 Like
#4

No, as I understand it, if someone tried to counterfeit Zcash (that would have to be sitting in Sprout value pool, at this very moment) the maximum they could theoretically remove would the the total value of that pool.

As it sits right now that pool has 190,270.19 ZEC in it. As soon as that number goes negative (more is trying to be withdrawn than the total) the new consensus code would permanently freeze that pool and all funds would be lost.

As a worst case scenario, that would be a loss of 1.9% of the total supply of Zcash.

2 Likes
#5

Ok thanks, that sounds good to me.

#6

To be more precise, the consensus rule prevents the Sprout or Sapling pool values from going negative. The transaction that would have caused it to go negative may still be in nodes’ mempools, but will never be mined.

A rational attacker would probably try to avoid tanking the price before they could cash out their forged coins, so they would probably not transfer all the forged coins at once. In any case it’s correct that the maximum impact on supply is limited by the pool value (for each of Sprout and Sapling).

Just as a reminder, we have no reason to believe that there has been any forgery. This is a precaution to limit the maximum impact on supply of any potential forgery in the shielded pools.

4 Likes
#7

Incidentally, the reason for the delay [to releasing v2.0.5] has nothing to do with the turnstile consensus rule. It’s due to a bug we found at the last minute in the implementation of the getmigrationstatus RPC.

#8

Does this include the funds of people that have legally/honest their ZEC funds in the pool?

For example: x people have ~190,000 ZEC within the sprout pool. The attack manages to withdraw let’s undetected 3x 50,000 ZEC or a total of 150,000 ZEC. At the least attempet when he tries to withdraw the 4th time 50,000 ZEC the balance would go negative and ALL funds frozen, including the ~190,000 ZEC of the people that didn’t even touch them meanwhile. Is this a correct assumption of what would happen in such case? Or how would it play out for these people holding ZEC in the sprout pool?

#9

Yes, any block that would contain a transaction that would case the value to go negative would be rejected.

The way Zcash privacy works is all transactions in/out of the pool look the same so nobody can tell who sent what. This also means that there is no way to tell if someone has “legitimate” funds in the pool.

#10

Let’s hope there never will arise such situation, but what would happen if i for example bought from Gemini 50,000 ZEC, sent them to that sprout adress and never touched them ever again after that (means no more any transaction). My funds would be blocked/lost, but i could proof they are legitimate …

As said, let’s hope this stituation will never occur and i’am pretty sure here this bug was never exploited, just commenting it out of curiousity.

#11

You could prove that you had funds in the pool, but it’s impossible to know which ones are yours. That’s the strength of Zcash privacy, tens of thousands of transactions can happen in that pool and can’t be traced.

If you did that today you would want to use a Sapling address anyway, there is no reason to send to Sprout addresses at all. That’s why they are releasing the migration tool to encourage everyone to drain that pool and move funds to the Sapling pool.

#12

Calling the turnstyle a defense against counterfeiting is arguably an overstatement.
You are right - in the example you gave the honest players’ funds would be frozen.
The turnstyle simply allows whoever goes out first to exit - whether it’s the counterfeiter or the honest user.

2 Likes
#13

This shouldn’t be a matter for the honest user, but the Zcash responsibility that no honest user ever will lose funds due a bug/whatever in the blockchain code. In case this worst case scenario will happen and that a counterfeiter can pull funds but honest folks will loss their funds that it would be worse than a bank.

Agreed,as this no way prevents the counterfeiter to “legalize/legitimite” the counterfeits i wouldn’t call it a defene as well, even more as it would be at the cost of honest people in such case.

#14

I would say it is a defense against counterfeiting but specifically to protect the rest of the network from resulting inflation.

3 Likes
#15

I am not sure what those honest users are waiting for, to transfer their zcash from Sprout to transparent and then to Sappling.

Maybe the foundation need to push this info ?

#16

I would argue part of the reason they’re waiting, besides it seeming at least perceived unlikely perhaps the/an exploit was used, is that the risk of frozen funds is not made clear - partly because it is stated “we have a defense against counterfeiting”,
and the company stated “users need take no action”.
@paige - I would find it more reasonable/less objectionable to call it defense against inflation.

2 Likes
#17

; ) “natural deflation”

#18

Well see… the migration tool is going to be released alongside the consensus change. ECC has suggested users wait for this tool to best protect against privacy leaks. Once the tool is out, there’s no longer any reason to keep funds in Sprout.

2 Likes
#19

Well, maybe many people are waiting for support by the hardware wallet manufacturers… LedgerWallet for example has no support nor any ETA about Sapling z-addresses on their Nano S / Nano X.
This is a big issue for all hodlers and I think that ECC and/or the ZFoundation should push in that direction

1 Like
#20

I doubt any user that has funds in the sprout pool (expect some very technical folks, someone reading the gifthub/forum) has an idea that his funds could be at risk IF a counterfeiter moves his funds bevor them.
It’s obvious that it’s not mentioned to possible FUD, reputation risk…), but would it be really fair against these folks in case there was a counterfeit? I would even go as far as saying if such case occurs that it’s legally questionable and that it was missed to make it clear what danger/effect/loss may occur.
Out of curiousity, what’s the internal legal advisors comment on this one?

Again underlining that me personally is sure that 99.99% i believe there was no counterfeit, but the worst case scenario is still something someone always should have in mind.