Zcash Counterfeiting Vulnerability Successfully Remediated


A thought… does there have to be an ‘official tool’ to migrate funds ? Perhaps all thats needed is a HowTo thats been properly reviewed.

The zec-qt-wallet guys made a thing to do that, ie: unshield a fixed amount (100, 10, 1, 0.1, etc) to a new taddr, wait a random number of blocks/hours/days, send to sapling, repeat.

1 Like

The migration tool just makes that more convenient but it can be done manually absolutely


The existing tool in ZcashQT wallet is nice, but I would prefer one that has been reviewed by an expert like @arielgabizon or @daira on the process used to select the randomness for transactions.

Ideally the end user should have to click as few buttons as possible, and have the least ability to screw it up. :stuck_out_tongue_winking_eye:


I would prefer that a cryptographer reviewed the zec-qt-wallet turnstile migration code and made recommendations and pull requests to improve it, than implementing a separate tool from scratch.

Of course, both options have pros and cons.

Improving the existing zec-qt-wallet solution will be much quicker and will also be part of the best GUI wallet available.

Implementing a turnstile migration tool from scratch will probably take longer to develop but has the upside of being an independent tool that doesn’t force you to use any specific wallet.


The specification we recommend is in the draft ZIP 308. The tool in zec-qt-wallet was written before this spec, but it would be possible to change it to follow the spec.


It makes me think if a bug and possibility of Attack is inevitable what tech should one choose? one that allows early detection, easy fix and damage certainty Or one that is hard to detect, fix and difficult to assess extent of damage? Taking this risk we get “opt in privacy feature”, does is sound like a fair risk reward?

I think there is a tech out there or will be soon which can provide same feature with considerably lower risk? @zooko if there is a tech out there which provides better security and same level of opt in privacy, will you consider implementing it into zcash? Zcash is branded as a privacy coin and as Long as it provides the same, I don’t think it will matter what tech is used. Does zcash have loyalty to zero knowledge tech or a secure privacy feature?

Bottom line is that if a breach occurs and privacy is compromised zcash suffers but if a counterfeiting breach occurs it will be worst for zcash or any crypto for that matter and damage might be irreversible.

1 Like

Another random thought… an official migration tool is an opportunity to shield transparent funds, perhaps prompt the user & ask if they’d like to do that at the same time?


What intelligent hackers we’ve got these days.
Glad, you’ve fixed it.


Do you think zcash co wants to be fixing vulnerabilitys? Any coder would prefer having the most secure and efficient system, but in reality there is always going to be some kind of tradeoff and risk involed deploying such tech.

How they managed this incident was more than professional and how they annouced it was radically transparent. Personally I see this as 1 reason more to support the network and to believe in this project.

Do you even Zero Knowledge?
Zcash is more than unique and absolutly doesn’t “provide the same”. Only because others brand zcash as a privacy coin, doesn’t mean the zcash company or community consider it a privacy coin. Privacy is necessary, not a goal to aim to.


Unfortunately it’s probably not the best time to prompt shielding of transparent ZEC. Correlations could be made to taddrs already associated with individuals and their usage of the tool.

I suspect the size of the transparent pool mostly comes from exchanges/wallets that only support that type. Once there’s a variety of exchanges/wallets that support shielded addresses, then we’ll likely see a natural shift to the Sapling shielded pool.

1 Like

I posed the questions out there to get opinions, it goes with the intent of understanding a decentralized project? What are the constants and variables?

I don’t know anything about ZK tech, consider myself as an average everyday user. It will be interesting to know what are your thoughts on the identity of zcash. I’am all for privacy as long as it does not compromise security.

Please ask zcash team if they would like to keep following the same protocol they followed in the latest incident to handle a similar incident in future. It has already raised questions of zcash being a centralized or decentralized. If zcash has to survive on its own in the wild world it has to be independent.
That said, as a zcash holder i’am relieved that the bug was identified and resolved and thankful to @arielgabizon and all others who were involved after the identification to tackle the issue.


Privacy is a security property, and one that is central to Zcash’s design. We’ll continue doing our best to provide all of the designed security properties.


I’am abit confused understanding this, can you give a real world example?


A bit off-topic but still a good place to post this article in my opinion.

What’s the ZEC defence mechanism for this kind of double spending attack that can for example be easy exposed on the BSV network?

Making double-spending 0-conf with Bitcoin SV


How did you find the vulnerability in the first place? Was it unexpected?


Read blog post and you’ll figure it out :slight_smile:


Security is the state of being free from danger or threat. (That’s just the first dictionary definition I came across, and it seems like a pretty reasonable definition.) If your financial transactions are revealed publically, that can put you in danger in many ways: it reveals a lot of other information about you that can be used to exploit or threaten you, or to steal from you.


Couldn’t counterfeiting have occurred before the turnstile migration was installed with sapling? Seemingly real zcash-sprout traded for, say, actual bitcoin before sapling to avoid being accounted for at any turnstile, right?


If counterfeiting occurred prior to the fix in Sapling, the attacker could have sold the counterfeit coins to someone directly for bitcoin but it’s more likely that they would have moved them to a transparent address for trading on an exchange if they wanted bitcoin or another crypto since exchanges do not yet implement shielded addresses.

1 Like