Zcash statement on CVE-2018-17144

On September 17th, 2018, a discloser, who wishes to remain anonymous, provided the security@z.cash mailbox with details of an issue they also supplied to Bitcoin Core. We immediately began an investigation on the claims. We found that the change, which made Bitcoin Core vulnerable to this issue, happened after we forked from Bitcoin. We then read the code in Zcash to see if we had removed the check separately and found we hadn’t, leading us to conclude that we are not vulnerable to this attack.

We are grateful to the anonymous contributor for this disclosure. We ask anyone who knows of an issue, current or future, which could potentially threaten Zcash users to let us know via gpg to security@z.cash.

18 Likes

For reference CVE-2018-17144 : https://bitcoincore.org/en/2018/09/20/notice/

5 Likes

It is worth pointing out that between September 17th and September 20th, when Bitcoin Core devs knew that the issue potentially allowed balance violation but that fact was not public, they made no attempt to inform other projects of the seriousness of the issue; nor to my knowledge did they make sure that other potentially affected projects were informed of the DoS vulnerability independent of the original submitter’s contact.

3 Likes