How does turnstile defense against counterfeiting work

But what would happen with those fake Zcash? Could they try send them again and again and thus prevent blocks from getting accepted ?

2 Likes

No, as I understand it, if someone tried to counterfeit Zcash (that would have to be sitting in Sprout value pool, at this very moment) the maximum they could theoretically remove would the the total value of that pool.

As it sits right now that pool has 190,270.19 ZEC in it. As soon as that number goes negative (more is trying to be withdrawn than the total) the new consensus code would permanently freeze that pool and all funds would be lost.

As a worst case scenario, that would be a loss of 1.9% of the total supply of Zcash.

3 Likes

Ok thanks, that sounds good to me.

1 Like

To be more precise, the consensus rule prevents the Sprout or Sapling pool values from going negative. The transaction that would have caused it to go negative may still be in nodes’ mempools, but will never be mined.

A rational attacker would probably try to avoid tanking the price before they could cash out their forged coins, so they would probably not transfer all the forged coins at once. In any case it’s correct that the maximum impact on supply is limited by the pool value (for each of Sprout and Sapling).

Just as a reminder, we have no reason to believe that there has been any forgery. This is a precaution to limit the maximum impact on supply of any potential forgery in the shielded pools.

5 Likes

Incidentally, the reason for the delay [to releasing v2.0.5] has nothing to do with the turnstile consensus rule. It’s due to a bug we found at the last minute in the implementation of the getmigrationstatus RPC.

1 Like

Does this include the funds of people that have legally/honest their ZEC funds in the pool?

For example: x people have ~190,000 ZEC within the sprout pool. The attack manages to withdraw let’s undetected 3x 50,000 ZEC or a total of 150,000 ZEC. At the least attempet when he tries to withdraw the 4th time 50,000 ZEC the balance would go negative and ALL funds frozen, including the ~190,000 ZEC of the people that didn’t even touch them meanwhile. Is this a correct assumption of what would happen in such case? Or how would it play out for these people holding ZEC in the sprout pool?

Yes, any block that would contain a transaction that would case the value to go negative would be rejected.

The way Zcash privacy works is all transactions in/out of the pool look the same so nobody can tell who sent what. This also means that there is no way to tell if someone has “legitimate” funds in the pool.

Let’s hope there never will arise such situation, but what would happen if i for example bought from Gemini 50,000 ZEC, sent them to that sprout adress and never touched them ever again after that (means no more any transaction). My funds would be blocked/lost, but i could proof they are legitimate …

As said, let’s hope this stituation will never occur and i’am pretty sure here this bug was never exploited, just commenting it out of curiousity.

You could prove that you had funds in the pool, but it’s impossible to know which ones are yours. That’s the strength of Zcash privacy, tens of thousands of transactions can happen in that pool and can’t be traced.

If you did that today you would want to use a Sapling address anyway, there is no reason to send to Sprout addresses at all. That’s why they are releasing the migration tool to encourage everyone to drain that pool and move funds to the Sapling pool.

Calling the turnstyle a defense against counterfeiting is arguably an overstatement.
You are right - in the example you gave the honest players’ funds would be frozen.
The turnstyle simply allows whoever goes out first to exit - whether it’s the counterfeiter or the honest user.

4 Likes

This shouldn’t be a matter for the honest user, but the Zcash responsibility that no honest user ever will lose funds due a bug/whatever in the blockchain code. In case this worst case scenario will happen and that a counterfeiter can pull funds but honest folks will loss their funds that it would be worse than a bank.

Agreed,as this no way prevents the counterfeiter to “legalize/legitimite” the counterfeits i wouldn’t call it a defene as well, even more as it would be at the cost of honest people in such case.

I would say it is a defense against counterfeiting but specifically to protect the rest of the network from resulting inflation.

4 Likes

I am not sure what those honest users are waiting for, to transfer their zcash from Sprout to transparent and then to Sappling.

Maybe the foundation need to push this info ?

I would argue part of the reason they’re waiting, besides it seeming at least perceived unlikely perhaps the/an exploit was used, is that the risk of frozen funds is not made clear - partly because it is stated “we have a defense against counterfeiting”,
and the company stated “users need take no action”.
@paige - I would find it more reasonable/less objectionable to call it defense against inflation.

4 Likes

; ) “natural deflation”

Well see… the migration tool is going to be released alongside the consensus change. ECC has suggested users wait for this tool to best protect against privacy leaks. Once the tool is out, there’s no longer any reason to keep funds in Sprout.

4 Likes

Well, maybe many people are waiting for support by the hardware wallet manufacturers… LedgerWallet for example has no support nor any ETA about Sapling z-addresses on their Nano S / Nano X.
This is a big issue for all hodlers and I think that ECC and/or the ZFoundation should push in that direction

2 Likes

I doubt any user that has funds in the sprout pool (expect some very technical folks, someone reading the gifthub/forum) has an idea that his funds could be at risk IF a counterfeiter moves his funds bevor them.
It’s obvious that it’s not mentioned to possible FUD, reputation risk…), but would it be really fair against these folks in case there was a counterfeit? I would even go as far as saying if such case occurs that it’s legally questionable and that it was missed to make it clear what danger/effect/loss may occur.
Out of curiousity, what’s the internal legal advisors comment on this one?

Again underlining that me personally is sure that 99.99% i believe there was no counterfeit, but the worst case scenario is still something someone always should have in mind.

1 Like

That is not correct. It has been explained on the Electric Coin Company blog back in November when the policy was put in place: Defense Against Counterfeiting in Shielded Pools - Electric Coin Company

A necessary consequence of this action is that any legitimate funds would also be lost forever in the affected pool.

Again in March

And @sgp (from Monero) even made a video about it: Breaking Zcash Episode 01: Counterfeiting Vulnerability [CVE-2019-7167] - YouTube

Plus, the ECC Twitter posted it, and there was a thread on Reddit about it: https://www.reddit.com/r/zec/comments/antwfr/breaking_zcash_episode_1_counterfeiting/

You need to get out of the Forums more often :wink:. I always keep an eye on Twitter, Reddit, GitHub, the Chat and the ECC Blog, that’s how I get all my information I convey to you guys.

4 Likes

Also, from @acityinohio: Concerning the Sprout Vulnerability CVE-2019-7167 - zcash foundation

Like the Company, we believe the chance of an exploit on mainnet is vanishingly small, thanks in large part to their extensive mitigations. But based on our understanding of the exploit, we are concerned that it’s non-zero (however small that may be). Unlike the inflation bugs in Bitcoin and Monero, the way Zcash’s privacy pool works it’s impossible to know if it’s been exploited… until Sprout addresses are deprecated. Once deprecated, ostensibly all Sprout holders will have moved their ZEC into Sapling addresses and any Zcash user will be able to detect unintended inflation in the transparent addresses used as part of that transition. This brings new urgency to a privacy-preserving turnstile tool to help users transition from Sprout to Sapling, and it’s one the Foundation would be happy to support in tandem with the Company, along with an accelerated deprecation schedule for Sprout.

Best case scenario: we accelerate the adoption of Sapling and prove without a doubt that an exploit didn’t happen. Worst (and very unlikely) case: somehow the bug was exploited, which we detect as the Sprout pool empties and users transition to Sapling addresses. In this case, we will encourage users to follow the guidelines set by the Company here.

I think there are ZEC holders who just aren’t paying attention to the project. Which is their prerogative, but definitely has downsides.

3 Likes