Zcash Counterfeiting Vulnerability Successfully Remediated

Just out of curiousity and in general, why is it more likely that an exchange would be choosen?
I mean IF someone has a direct buyer over the counter which pays either in cash or BTC it would be the perfect solution for the counterfier, not?

It’s more likely simply because exchanges are the easier route. My comment didn’t deny the chance that an attacker could have established a direct buyer.

It’s possible that counterfeit coins, if any, could have been moved into a shielded address before the turnstile was implemented, in which case they are beyond traceability, right. So, there could be, say, 5 million ZEC in a shielded address waiting for total ZEC issuance to reach multi-millions?

So the majority of those hypothetical 5 million ZEC would have to live in the Sprout pool as that’s where the vulnerability was (it doesn’t exist in Sapling). Currently there are ~200k in the Sprout shielded pool and ~120k in the Sapling one (see https://zcha.in/statistics/network). If anyone tried to move more than 200k counterfeit ZEC out of the Sprout pool the total would go negative and it would be immediately obvious what had happened and unlikely anyone could realise anything for their Sprout ZEC.

See https://z.cash/blog/sapling-addresses-turnstile-migration/ for more.


Beyond that, it is the ECCs policy to not allow the Sprout pool to go negative. https://z.cash/blog/defense-against-counterfeiting-in-shielded-pools/


Just out of curiousity and hyptetically:

  • what would be the measure(s) taken if let’s say in 1 year the sprout pool goes negatie due counterfeit that occuret 1-2 years earlier? Ok, if we see (hopefully not!) some day that the sprout pool goes negative that’s one thing, but what action would be taken if the source of counterfeit has happened longer time bevor? Could the source/mining pool/whatever even be identified 1-2 years later?

  • what happens IF the counterfier for example buy 50,000 ZEC and counterfies 50,000 ZEC. If the bought 50,000 ZEC are sent to a shielded adress and the counterfeit 50,000 ZEC from the shielded adress to a transparent adress wouldn’t that, at least temporary, hide traces and the alarm bells?

  • from the Blog Post regarding Defense agaisnt Counterfeiting: If we are able to identify that the bug affects only a single shielded pool, we might choose to effectively deactivate that pool by invalidating any of its outgoing transactions.
    Question A: What if it affects several shielded pools as you mention only “a single pool”?
    Question B: What if it happened over longer time frames, let’s say daily 1,000 ZEC over 6 months?
    Question C: Reading the whole article at least 10x times i have the feeling that the defense is too much lagging as the counterfeit (attack) would only be visible/detectable some day just if and when the pool goes negative, not? Or do i miss something?

Again, just theoretical and hyptetical questions within IF cases…

Good questions. Let me try to clarify…

There is a bucket (Sprout pool). That bucket is different than other buckets (i.e. Sapling pool). Let’s say that we know that 100 ZEC in total has ever been placed into that bucket. If someone tries to take 101 ZEC out of the bucket, we know that counterfeiting had occurred sometime in the past. We know that 1 ZEC was created out of thin air at some point. So we don’t allow that transaction to occur.

However, if someone counterfeited 50 ZEC (or something less than 100 ZEC), they could take it out of the bucket that we know 100 ZEC was moved into. The bucket would now contain 50 ZEC, after their transfer. Now we believe there is 50 ZEC left in the bucket and no one would be allowed to take out more than the 50 ZEC remaining. Thus, the total monitory supply is protected.

Does that make any more sense?

Sorry for the confusion. We’ll publish another article in the near future with an attempt to be more clear.


If people are not allowed to take out the ZEC that they put into the Sprout pool, then I expect they will demand the Zcash company make them whole…

1 Like

That’s about what i had in mind when i wrote one of the questions above.

what happens IF the counterfier for example buy 50,000 ZEC and counterfies 50,000 ZEC. If the bought 50,000 ZEC are sent to a shielded adress and the counterfeit 50,000 ZEC from the shielded adress to a transparent adress wouldn’t that, at least temporary, hide traces and the alarm bells?

In the meaning the counterfier could put these 50,000 legally bought with proof into the sprout pool. Pull out at the same time his counterfeit 50,000 ZEC and than have a legal claim on the ECC company if he can’t get out his real bought 50,000 ZEC, not?

…doubt that would work as they’ve already been told what would happen under those circumstances.

bet a lot of zcash still in sprout pool are owned by dead :skull_and_crossbones: people


Surprised the sprout pool hasn’t emptied faster, its not exactly hard to do.

1 Like

Maybe not dead per say but the likelihood of it emptying completely is yea bout zip

1 Like

what have they been told? A counterfier wouldn’t pull the coins to the same wallet he has the bought coins. Means the claims would be from the buyer of the legit coins while the counterfied coins leaving the sprout pool would have been used allready. Just in theory in this example to check if the defense would be a working one in such case …

“What will happen to prevent the sprout pool going negative” is public knowledge already - joshs post for example, echoed in other places.

If someone tried to hold ECC liable I think they’d fail, many examples of ‘We told you so’… just my humble opinion of course (not a lawyer).

Ok, i get now what you had in mind. But i doubt this will work that way. Let’s just for one second forget the counterfeit part but YOU, for whatever reason have 10,000 ZEC in the sprout pool. A sudden an unknow counterfier pulls his counterfeit ZEC and the sprout pool goes negative. Would mean you lost ALL your holdings without any vault other than having ZEC and having them in the sprout pool, which isn’t forbidden.
Just my amateurish opinon on the legal side IF someone witholds legal bought ZEC, pretty sure there would be claims, leave alone maybe possible devastating community/holder feedback if the holdings of 100’s of small holders in the sprout pool are affected.

AHHH… I see. I was mixing the sequence of events up in my head assuming that…

…we know how much in the sprout shielded pool because it is the total issued minus the unshielded amount, right?

If the vulnerability was exploited, maintaining the shield means going through sapling’s turnstile.

The only other way to escape with the infinite zcash is to go to market. There are not many markets supporting shielded addresses. Of those that do (Rock, etc), I presume exorbitant volume was not evidenced.

So, I can keep calm and carry on…

There is the Sapling pool as well. It’s actually possible to measure what goes in/out of the pools (which is what zcashd does) as it must come from a transparent address so it is visible going in and out at the individual transaction level.

Right and if there are indeed exchanges that support Sprout addresses it’s possible an attacker could get away with some funds but it would still be detectable when whoever bought the coins moved them out of the Sprout pool. So it’s functionally little different to an attacker just moving them to a transparent address and selling them assuming they don’t make the pool go negative.

1 Like

The turnstile has the side effect of making Zcash less than fungible; ZEC in the Sprout pool carries some risk of being non-redeemable.

Perhaps a majority of Sprout balances is inaccessible, as one would expect it to be moved out to eliminate said risk.


“inaccessible” <— that’s what i’m thinking