Zcash Counterfeiting Vulnerability Successfully Remediated

Why would you publish publicly the fingerprint so an attacker could take steps to avoid it?

Again, I have no idea if such a thing exists, just speculation.


The vulnerability doesn’t excist anymore so it’s all about researching IF the vulnerability was exploited or not.

1 Like

Maybe the footprint is afterwards, when sending the newly minted ZEC for the first time? We don’t know enough yet.

While the vulnerability doesn’t exist any counterfeit ZEC that was hypothetically generated could just be sitting in the shielded pool. To generate real value it’d need to be withdrawn.

I’d guess it’s as simple as looking at value changes in the shielded pool and not seeing any huge movement indicative of an attack (particularly when say movements of the founders’ reward funds would be known to the people looking). I mean after all if you could do this probably cashing out sooner rather than later would be a good idea if your goal is to maximise profits, but clearly we won’t know until Sprout is deprecated (and even then we’ll never truly know, but it won’t be relevant anymore).

@paige Thanks for the information and explanation!

From my understaning the counterfeiting would of taken place during a transaction and not during mining than? So the coins could appear inside a z-add aka hidden from the public?

Was the turnstile added because of this bug, or was this already on the roadmap?

Maybe im not understanding the turnstile correctly.

With the turnstile, wouldnt that only work if a person exploited the bug and made more coins than have been lost in all the sprout z-add? If people have lost z-add coins and can never convert them into the new Sapling addresses, there could be thousands of hidden coins that have been lost that will never be calculated or withdrawn, skewing the numbers.

Sure there is still a chance the exploiter might take out too much, and the Sprout Shielded Pool would show it, but currently they would have around 200K coin room to work with right now. And its public knowledge how close they would be to being exposed.

Its nice having a audit system in place, but it seems there is some holes in the system and cant be relied on to inform us of counterfeiting.

We’re not sitting on any secret method of detection. The time for secrets is over, thank god. Now we can go back to being fully transparent and being able to focus fully on new improvements instead of opsec, mitigation, remediation, and disclosure!

A perfectly-executed counterfeiting attack would be undetectable by any cryptographic means. The “footprints” mentioned in the blog post are about evidence that would be left if an attacker made mistakes. They might take an existing proof from the blockchain and use that as the base to generate their forgery, or they might generate multiple forgeries, and if so they might not hide all of the evidence connecting the various proofs. @arielgabizon wrote a script that scanned the blockchain for such evidence and did not find any.

There’s no way to detect counterfeiting unless the attacker makes this mistake, or of course if the Sprout pool value goes negative. As we’ve seen in Bytecoin’s counterfeiting exploitation and other exploits in the wild, attackers sometimes make mistakes that leave behind evidence.


I see, thank you for the explanation @zooko


A thought… does there have to be an ‘official tool’ to migrate funds ? Perhaps all thats needed is a HowTo thats been properly reviewed.

The zec-qt-wallet guys made a thing to do that, ie: unshield a fixed amount (100, 10, 1, 0.1, etc) to a new taddr, wait a random number of blocks/hours/days, send to sapling, repeat.

1 Like

The migration tool just makes that more convenient but it can be done manually absolutely

The existing tool in ZcashQT wallet is nice, but I would prefer one that has been reviewed by an expert like @arielgabizon or @daira on the process used to select the randomness for transactions.

Ideally the end user should have to click as few buttons as possible, and have the least ability to screw it up. :stuck_out_tongue_winking_eye:


I would prefer that a cryptographer reviewed the zec-qt-wallet turnstile migration code and made recommendations and pull requests to improve it, than implementing a separate tool from scratch.

Of course, both options have pros and cons.

Improving the existing zec-qt-wallet solution will be much quicker and will also be part of the best GUI wallet available.

Implementing a turnstile migration tool from scratch will probably take longer to develop but has the upside of being an independent tool that doesn’t force you to use any specific wallet.


The specification we recommend is in the draft ZIP 308. The tool in zec-qt-wallet was written before this spec, but it would be possible to change it to follow the spec.


It makes me think if a bug and possibility of Attack is inevitable what tech should one choose? one that allows early detection, easy fix and damage certainty Or one that is hard to detect, fix and difficult to assess extent of damage? Taking this risk we get “opt in privacy feature”, does is sound like a fair risk reward?

I think there is a tech out there or will be soon which can provide same feature with considerably lower risk? @zooko if there is a tech out there which provides better security and same level of opt in privacy, will you consider implementing it into zcash? Zcash is branded as a privacy coin and as Long as it provides the same, I don’t think it will matter what tech is used. Does zcash have loyalty to zero knowledge tech or a secure privacy feature?

Bottom line is that if a breach occurs and privacy is compromised zcash suffers but if a counterfeiting breach occurs it will be worst for zcash or any crypto for that matter and damage might be irreversible.

1 Like

Another random thought… an official migration tool is an opportunity to shield transparent funds, perhaps prompt the user & ask if they’d like to do that at the same time?

What intelligent hackers we’ve got these days.
Glad, you’ve fixed it.

Do you think zcash co wants to be fixing vulnerabilitys? Any coder would prefer having the most secure and efficient system, but in reality there is always going to be some kind of tradeoff and risk involed deploying such tech.

How they managed this incident was more than professional and how they annouced it was radically transparent. Personally I see this as 1 reason more to support the network and to believe in this project.

Do you even Zero Knowledge?
Zcash is more than unique and absolutly doesn’t “provide the same”. Only because others brand zcash as a privacy coin, doesn’t mean the zcash company or community consider it a privacy coin. Privacy is necessary, not a goal to aim to.


Unfortunately it’s probably not the best time to prompt shielding of transparent ZEC. Correlations could be made to taddrs already associated with individuals and their usage of the tool.

I suspect the size of the transparent pool mostly comes from exchanges/wallets that only support that type. Once there’s a variety of exchanges/wallets that support shielded addresses, then we’ll likely see a natural shift to the Sapling shielded pool.

1 Like

I posed the questions out there to get opinions, it goes with the intent of understanding a decentralized project? What are the constants and variables?

I don’t know anything about ZK tech, consider myself as an average everyday user. It will be interesting to know what are your thoughts on the identity of zcash. I’am all for privacy as long as it does not compromise security.

Please ask zcash team if they would like to keep following the same protocol they followed in the latest incident to handle a similar incident in future. It has already raised questions of zcash being a centralized or decentralized. If zcash has to survive on its own in the wild world it has to be independent.
That said, as a zcash holder i’am relieved that the bug was identified and resolved and thankful to @arielgabizon and all others who were involved after the identification to tackle the issue.


Privacy is a security property, and one that is central to Zcash’s design. We’ll continue doing our best to provide all of the designed security properties.