Shielded Labs Engages Taylor Hornby as Security Consultant

Shielded Labs is bringing on Taylor Hornby (@earthrise) as a part-time Security Consultant for a three-month engagement, starting today, as we’re seeing a significant increase in security-related activity. Over the past few weeks, the volume and pace of vulnerability reports has picked up, and we expect this trend to continue.

In March, a white-hat researcher used AI to uncover a critical vulnerability in zcashd that had gone undetected for nearly six years. It was patched quickly, but it wasn’t an isolated incident. That same researcher, as well as three other independent researchers, have identified additional vulnerabilities in zcashd and Zebra that have been triaged, and there are a growing number of reports from other researchers as well. Meanwhile, the crypto ecosystem is seeing a surge in AI-assisted attacks. Earlier this month, the Drift Protocol was drained of $285 million in a hack tied to North Korean-affiliated actors who used AI-assisted social engineering to gain access.

We think this is the beginning of a broader trend. AI is making it dramatically easier and faster to find bugs in complex codebases, and we expect the volume and sophistication of vulnerability reports, and possibly exploits, to increase significantly. We want to get ahead of it.

Taylor’s primary focus will be identifying vulnerabilities and helping improve the overall process for handling them. If there are critical bugs in the codebase, we want to make sure they are found and fixed. When vulnerabilities are found, Taylor will work closely with the other Zcash organizations to assess severity, coordinate fixes, and make sure patches are rolled out to infrastructure providers. His work will run alongside other efforts across the Zcash ecosystem, with the goal of reaching a point where none of these teams are finding anything. That would give us confidence that a bad actor using off-the-shelf AI tools is not going to find something we’ve missed.

Taylor has been involved with Zcash since before launch and has spent years working on its security. He previously worked as a security engineer at the Electric Coin Company, and after leaving ECC, spent a year as the Ecosystem Security Lead through Zcash Community Grants. He currently serves on the Zcash Foundation Board of Directors. Shielded Labs has also previously engaged Taylor to conduct a design review of ZIP 231 on Memo Bundles.

We’re grateful to have someone with Taylor’s background stepping into this role. He brings exactly the kind of depth of knowledge and experience with Zcash that this work requires.

This is a great place to start

https://bitcoincore.org/en/security-advisories/

It’s a great initiative and a necessity imo. In light of all the recent exploits, more recently KelpDAO, it’s vital.

Zcash faces a special challenge when it comes to vulnerabilities. Ethereum and others get away with a lot simply because the public nature of their blockchains favors auditing (and, well, surveillance). We don’t have that luxury.

This has genuinely been shifting how I perceive network upgrades that “touch” the privacy and hardness circuits. Every modification is a potential fatal liability being incurred — and we may not even know whether one already exists in the current state of things.

I think the community would do well to permanently fund researchers and scientists dedicated to continuously evaluating these components — and not only from a strict security standpoint. We know that even when the goal is innovation or optimization, the simple act of studying the circuits often surfaces issues that would otherwise go unnoticed.

Just as importantly, any findings (and the people who make them) should be held in very high regard publicly. In Big Tech, “pre-bugs” tend to go underappreciated, and that contributes to a culture where such work isn’t prioritized or rewarded. Zcash, given what’s at stake, can’t afford to repeat that pattern.

Which is why I want to take the opportunity to say thank you to the people who have designed, built, specced, reviewed, and audited these circuits over the past decade. This list is certainly incomplete, and any omissions are my own (and Claude’s) — but the work of the people below is a meaningful part of why Zcash exists and why it remains trustworthy:

• Alessandro Chiesa
• Alex Biryukov
• Andrew Miller
• Andrew Poelstra
• Ariel Gabizon
• Benedikt Bünz
• Brian Warner
• Chelsea Komlo
• Christina Garman
• Daira-Emma Hopwood
• Dan Boneh
• Daniel Kales
• Deirdre Connolly
• Derek Hinch
• Dmitry Khovratovich
• Dominic Tarr
• Eirik Ogilvie-Wigley
• Eli Ben-Sasson
• Emery Rose Hall
• Eran Tromer
• Eric Schorn
• George Tankersley
• Georgios Konstantopoulos
• Greg Pfeil
• Henry de Valence
• Howard Wu
• Ian Miers
• Jack Gavigan
• Jack Grigg
• Jack Lloyd
• James Prestwich
• Jan Winkelmann
• Jay Graber
• Jean-Paul Calderone
• Jennifer Fernick
• Jens Groth
• John Dobbertin
• Kobi Gurkan
• Kris Nuttycombe
• Lorenzo Grassi
• Madars Virza
• Markulf Kohlweiss
• Markus Schofnegger
• Mary Maller
• Matthew Green
• Mike Lodder
• Mirco Richter
• Nathan Ginnever
• Nathan Wilcox
• Nicholas Ward
• Nicolas Gailly
• Oana Ciobotaru
• Parnian Alimi
• Paul Bottinelli
• Peter Todd
• Peter Van Valkenburgh
• Philipp Jovanovic
• Pieter Wuille
• Pratyush Mishra
• Ramakrishnan Muthukrishnan
• Roman Walch
• Sean Bowe
• Simon Liu
• Steven Smith
• Taylor Hornby
• Teor
• Thomas Pornin
• Ying Tong Lai
• Zac Williamson
• Zooko Wilcox-O’Hearn

This great news from shielded labs bringing Taylor on to lead the way on the ongoing security threats. Great leadership form shielded labs I just spoke on this in my monthly post Lowo Life as a ZEC Member - #21 by Lowo88.

I agree with @thejohnnycrypto three months is a solid start. In the near future Zcash will need a dedicated security team, I just left the Zcash Engineering Office Hours: a guided reading of the full Zcash Protocol Specification in PDF. With @shieldedmark Nate and Daira not too long ago can create some good candidate for the task. Defending privacy from AI threats will require the whole community’s effort. If we can maximize participation in workshops views capped at 45 viewers online defending privacy so Zcash can be truly unstoppable.