Zcash statement on CVE-2018-17144

paige · October 10, 2018, 5:59pm

On September 17th, 2018, a discloser, who wishes to remain anonymous, provided the security@z.cash mailbox with details of an issue they also supplied to Bitcoin Core. We immediately began an investigation on the claims. We found that the change, which made Bitcoin Core vulnerable to this issue, happened after we forked from Bitcoin. We then read the code in Zcash to see if we had removed the check separately and found we hadn’t, leading us to conclude that we are not vulnerable to this attack.

We are grateful to the anonymous contributor for this disclosure. We ask anyone who knows of an issue, current or future, which could potentially threaten Zcash users to let us know via gpg to security@z.cash.

Shawn · October 10, 2018, 9:46pm

For reference CVE-2018-17144 : Bitcoin Core :: CVE-2018-17144 Full Disclosure

daira · November 21, 2018, 9:32am

It is worth pointing out that between September 17th and September 20th, when Bitcoin Core devs knew that the issue potentially allowed balance violation but that fact was not public, they made no attempt to inform other projects of the seriousness of the issue; nor to my knowledge did they make sure that other potentially affected projects were informed of the DoS vulnerability independent of the original submitter’s contact.

Topic		Replies	Views
February 8, 2018 - Weekly Update (Community + Comms) Weekly Forum Updates	0	3801	February 8, 2019
January 27, 2017 - Dev update Weekly Forum Updates	0	2406	January 27, 2017
December 3, 2021 - forum update Weekly Forum Updates	0	599	December 3, 2021
March 22, 2019 - Weekly Update (Community + Comms) Weekly Forum Updates	0	3549	March 22, 2019
March 03, 2017 - Dev update Weekly Forum Updates	1	2245	March 4, 2017

Zcash statement on CVE-2018-17144

Related topics