Zecwallet Lightclient Protocol Research and Development

Community Grants Applications
42

Hi, do 1-block reorgs exist by protocol rules?
In bitcoin reorgs happen when the server sees a chain that has more POW, aka longer. Therefore it needs to be at least 2 blocks. A fork that differs by 1 block would have the same POW.
I think it is the same with zcash.

43

Hi, apologies if this has been answered already (quickly skimmed through the discussion here). I was wondering whether the possibility of using react-native-macos and react-native-windows instead of Electron has been looked into, allowing for more code reuse between zecwallet-mobile and zecwallet-lite.

Iā€™m not very knowledgable on the specifics of performance/security between react-native-macos/windows compared to Electron, but this could be an interesting area to explore if working on the stack anyway, and could be a nicer system for Rust bindings; react-native-desktop-qt appears to have been abandoned though, so Electron would likely still be needed for Linux.

44

This has an effect on reliability and privacy. Any shielded transaction spending a note in a once-confirmed transaction that gets reorged away will become invalid (because the anchor changes), so thereā€™s some additional probability that these transactions will fail. When that happens, the spent noteā€™s nullifier will be exposed twice, first in the first attempt to spend and then again once the transaction is repeated, making it possible to link the two transactions together.

Will the wallet use the latest blockā€™s anchor to generate all transactions? If not, an attacker can easily tell when the wallet is spending a note in the latest block since they will be distinguished by using the latest blockā€™s anchor vs. an anchor further back. If yes, then all of the walletā€™s transactions will suffer from the unreliability described above, not just 1-confirmation spends.

5 Likes
45

@adityapk00 It seems as though there are some open questions regarding privacy and security about this recent change.

Iā€™m curious how you came to the decision to implement it and if you consulted any experts in the field prior to doing so. And if not, if you would be willing to roll back the change until itā€™s been reviewed more thoroughly.

2 Likes
46

I did consult with the ECCā€™s wallet team before making this change. Additionally, I think this is also the behaviour of the official zcashd wallet. It allows you to spend funds from the previous block (i.e., 1 conf), and seems to pick the latest witness (i.e, witness from the previous block). I modeled ZecWalletā€™s behaviour to be the same as zcashdā€™s.

With the latest updates, the lightclients are subject to approx. the same reorg risk as the zcashd wallet.

Isnā€™t zcashd subject to the same privacy/reliability problems?

2 Likes
47

I believe this behavior is possible with any wallet, inheriting from Bitcoin. My concern was not that it could, but if it should.

If @earthrise (a ECC core dev) and other community members claim it can have a negative impact on reliability or privacy of transactions, and with ZecWallet being such a prominent wallet, I think itā€™s at least worth taking the time to discuss further.

Iā€™m not a core dev, or on the ECC wallet team. Iā€™m simply trying to understand the benefit vs tradeoffs of this approach.

5 Likes
48

@adityapk00, itā€™s true that zcashd uses minconf = 1 by default.

However, the recommendations are to use 15.

I think you could simply offer the user the option to set the value. Thatā€™s what I do in ZWallet.

2 Likes
49

Btw, I was commenting on this part ealier. 1-block reorg cannot be detected because they are not reorgs but valid forks. Letā€™s say, there is block A and then both miner B & C build on top of it.
There would be 2 forks: A-B and A-C. Both of them have the same POW and are equally valid. The network is split. Some servers will follow A-B, others A-C. It depends on which block they received first. Itā€™s by design and entirely expected. In the original bitcoin paper, Satoshi talks about the gap between honest and attacker. There is no gap when the length is the same.

The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attackerā€™s chain being extended by one block, reducing the
gap by -1.

Now, even if you could detect potential reorgs, i.e. you see that zcashd has both chaintips, it could be too late to do anything. Your transaction is already out.

Scenario:

  • zcashd has A-B,
  • user posts tx based on anchor B
  • zcashd now sees A-C
  • zecwallet detects A-C (hypothetically)
  • ā€¦ ouch too late.
1 Like
50

This is not correct.The 2 blocks B and C do not have the same PoW, they have the same difficulty target. One of them will have slightly more PoW, and zcashd will deterministically reorg to that block.

Please see Get latest block from zcashd by adityapk00 Ā· Pull Request #348 Ā· zcash/lightwalletd Ā· GitHub

For eg, this block on the zcash mainnet was reorgā€™d at the same height:

{
"hash":"0000000000adca687b62d4915836fc8fd5d5dea6b3923942bef3b81b071f8d0f",
"height":1344662,"level":"warning","msg":"REORG/Current Block",
"reorg":0,"time":"2021-08-05T13:51:37-07:00"}
1 Like
51

If they have the same difficulty target, they have the same POW. A block earns POW by passing the hash threshold criteria. It doesnā€™t matter whether it is just barely or by a lot.

The reason for that is to avoid miners continuing work secretly after a block is mined and later introducing a block that rolls back the blockchain.

I remember this because when I implemented a full validating bitcoin server the formula came up.

This is covered by a regression test in bitcoin core.

2 Likes
52

For clarification, the ECC wallet team was informed of the change but didnā€™t advise on the one-confirmation setting. Our apologies @adityapk00 if you were looking for more input than we provided.

The default behavior of zcashd is minconf=1 but as @hanh indicated our recommendation is 15. We had intended to set a default of 10 but have not made the change as of yet.

3 Likes
53

Yes, and that is a long-standing bug: choose less recent JoinSplit, Spend, and Action anchors Ā· Issue #1614 Ā· zcash/zcash Ā· GitHub

Itā€™s always been the case that we recommend choosing anchors several blocks back. Iā€™m sorry if there was a miscommunication about that.

4 Likes
54

I completely forgot zcashd let you do that (even though Iā€™ve used that bug many times! itā€™s convenient!). Unfortunately because of that bug there will probably be a lot of recent-anchor transactions on the chain that you can tell didnā€™t from the mobile wallets because of the recent anchor, so we should plug that privacy leak in zcashd. It doesnā€™t necessarily have to be 10-15 confirmations if users are understanding and accepting of a speed-privacy trade-off, but we should look into how frequent N-block reorgs are. Thereā€™s some more discussion on the zcashd ticket about the privacy leaks.

4 Likes
55

Can Zcash move to account based model for shielded transactions like ethereum? Whatā€™s the technical limitation

56

Is there any reason why the ticket isnā€™t prioritized in ECC sprint? Wondering if we can for all the benefits. I was thinking before ECC looks into scalability & PoS, maybe ECC can dedicate some resources to closing some of the tickets that improves privacy & usability.

1 Like
57

Project Milestone 3

Zecwallet is now about 2/3rd of the way through the this grant. Over the past 2 months, several features have been added to Zecwalletā€™s family of apps (See upstream in this thread for updates)

  • Mempool support for instant notifications
  • Much improved test coverage and build infra
  • LightwalletD compatibility and improvements like price API, Mempool streaming
  • Improved perf, including support for large wallets

Hereā€™s the full list of milestones and their status

image

Whatā€™s next

For the last milestone (Milestone 4), weā€™ll focus on getting Orchard/Halo2 done and shipped in the wallet, including all the orchard features like unified addresses.

7 Likes
58

Thanks @adityapk00. Are you planning to support Shielded by Default - using auto shielding in addition to UAs?

3 Likes
59

(I saw that blog post earlier, havenā€™t had a chance to read it yet)

60

Yes, very much so.

6 Likes
61

Final Milestone Change

Originally, the final milestone for this grant was the Halo2/Orchard update in Zecwallet, including unified addresses and auto shielding, which was scheduled to be completed by Oct 17th. However, due to the Halo2 timeline getting delayed to Jan 2022, weā€™re in a bit of a spot.

We didnā€™t want to delay this grant for 3 months, and have the team idle, nor would it make sense to mark this grant as ā€œdoneā€ with only testnet support for Halo2.

So, Zecwallet consulted with the @ZcashGrants , and weā€™ve together agreed to to swap out the deliverables for the final milestone for this grant. The Halo 2/Orchard features will be done as a part of a new grant next year, and weā€™ll pull in some work we were planning on doing from next year into the current grant.

More specifically: Weā€™ll replace the following deliverables in the final milestone:

  • Unified Addresses in wallet
  • Halo 2 / Orchard support

with the following:

  • Foundational work for Halo2/ Orchard
  • Multiple z and t address support in mobile wallets
  • Import / Export private / viewing keys directly (Including restore from private key instead of seed phrase for zcashd/Zecwallet Fullnode compatibility)
  • New Privacy options in mobile wallet:
    • Download None / Wallet / All memos
    • Use different lightwalletd servers to download blocks / download memos / sending txns, so no one server has all your info.
    • Manual control over t-address shielding.

The timeline (deliver by Oct 17th) and the budget will remain the same

14 Likes